Whatever business you are in, especially B2C, if you have a database that you are actively using for marketing purposes, you now need to be GDPR compliant. For B2B companies there are still discussions going on and the current ICO situation is as follows:
“It is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services” (Section 33)
Furthermore, if you have received or bought a marketing database from a 3rd party GDPR compliant source, this is not enough to satisfy current and future legislation if your business is not itself GDPR compliant.
Your Privacy Policy needs to be written so your customers can understand it and that it complies with GDPR requirements. Having a well-written policy demonstrates that your business is serious about protecting privacy and customer data. You also need to review your Data Protection Policy to cover areas such as:
- The personal information you ask customers for and where (i.e. what data you collect when an order is placed, or when a service is provided)
- The reason for capturing that information and what you’ll use it for
- Where and how you store that data – needs to be located in the EU
- Whether it will be transferred and of so, how?
- Will it be disclosed to a third party?
- What your process is to delete it.
You’ll also need to review your current IT security policy and how you collect, use and store any customer data. GDPR means that your customers have the right to ask you to share and/or erase their personal data. You will need to look at your current systems and gather information to demonstrate that you are able to track, disclose and delete data easily if you’re asked to. Here is a list of the key areas:
- What personal data do you collect?
- Can you track and erase personal data? You will be expected to do this within 72 hours if requested by a customer.
- Do you store any personal data?
- Where is personal data stored (on computers, servers, in the cloud)?
- How is personal data used?
- Is data disclosed to anyone else, or shared/transferred?
- How and where do you backup data?
- Do you have a business continuity plan and a disaster recovery plan?
Failure to comply by the due date will mean you are at risk which may result in a significant fine.
Having said that, if you are a small business and you can demonstrate that you’ve done your best to comply to meet the requirements of GDPR, regulators will work with you on any problems that might arise.
However, preparation is the key so if you’ve not yet started to prepare for GDPR, all is not lost. You need to start planning now to ensure you’re ready for next May and there are useful links below.
For help in getting your database compliant contact me here.
Further reading: http://www.eugdpr.org/ and https://ico.org.uk