I’m sure you’ve heard about this thing called the “GDPR” and maybe even read my introductory blog post about this new regulation. GDPR affects any business that works with EU citizens or in the EU. This applies to businesses operating in the U.S. too if you have ANY European customers or clients. The GDPR requires businesses to make every effort to mitigate the damage security breaches have on people, particularly EU citizens. Ensuring privacy rights and data protection is a hot topic around the world right now with high profile data breaches and the GDPR aims to protect individuals personal information online.
I’ve had lots of friends and clients ask me about what they should do to get ready. So, here’s a quick 10-step guide of things you need to do before May 25th to be in compliance with these new regulations. These 10 steps are going to be mandatory for businesses with EU ties in order to avoid trouble. As I mentioned in my previous blog post, it is unlikely that data protection agencies will target small businesses and entrepreneurs for non-compliance, so don’t panic!! But, it is ALWAYS better to be safe than sorry!
If you’re a small business or entrepreneur, not all of the GDPR regulations apply to you
If you are a business with 250 employees or less, you do not have to comply to all GDPR rules. If you fall within these parameters, you do not have to provide documentation of why personal data is being collected and processed, or information about how long you’re storing the information. You also are not required to have detailed records except if there is a great risk of that your method of processing personal data could risk an individual’s rights or freedoms.
Do you use email as a way to market your business, website or blog? If so, you need to make sure that you include GDPR disclaimers on EVERY. SINGLE. email opt in from here on out. If you advertise a free PDF in exchange for an email address, there must be a consent disclaimer below that email. GDPR requires that any personal data must have a consent disclaimer attached, acknowledging that the individual understands they are giving out their private information.
GDPR requires consent to process an EU citizen’s personal data. This consent requires a written acknlowledgment that is unambiguous and involved a clear affirmative action. Because GDPR requires affirmative action, no pre-ticked consent boxes are compliant. It is best to just axe those from your business completely! Bye bye pre-ticked consent boxes!!
Online Store Checkouts and Contact for More Info Pages
If you collect any personal information from individuals while they are buying product or services from your website, you need to have a clear consent disclaimer. This disclaimer can be the same consent disclaimer as mentioned above in email marketing requirements.
Additionally, make sure the ‘contact page’ on your website or blog have a consent disclaimer. Again, this consent disclaimer can be the same as those for email marketing opt-ins and online store checkouts. This consent disclaimer is also required on any sort of business contract where personal data is being collected, processed, or stored.
Prepare a full consent disclaimer RIGHT NOW!
In all of your marketing and business processes that require a consent disclaimer, you should include different GDPR fields.
- First, you should provide a description that tells the client/customer why you are collecting personal data on said form.
- Next, you should include the options your clients/customers can take.Here you MUST include an option for individuals to withdraw consent and decline permission for you to collect and store their personal data.
- Third, you should have a field that provides legal text and reasoning for collecting data. GDPR also requires businesses to provide the client/customer with contact details so the client/customer knows who they are working with.
You must provide a way for clients/customers to withdraw consent
GDPR requires that businesses give clients/customers the ability to withdraw consent from the business collecting and storing their personal information. Under GDPR, pre-ticked opt-in boxes do not count as valid consent, so stop using them immediately. Instead, provide your clients/customers with a clear and plain language explanation of consent and their right to withdraw consent.
Ensure your have adequate security around client information
Review your security measures around your storage of client or customers personal data. It is recommended that data protection specialist are hired to make specific security recommendations, but getting security advice from an IT professional is also a great option.
Find out if your third-party providers or partnerships are in compliance with GDPR
Do you use other companies to provide business services? I would bet that every single business does! Check with your email company, your website domain host site, your graphic design providers, etc. to ensure they are all in compliance with GDPR. Keep in mind that if they run into trouble with non-compliance, it may affect your business operations.
Develop a system to keep track of which EU clients have withdrawn consent of data collection
It will be helpful for your sake to keep a log of which clients/customers have withdrawn consent from you collecting their personal data. You can also keep track of which clients/customers are EU citizens and have the right under GDPR to request more information about your businesses data collection and their consent rights. If any sort of dispute occurs where a client/customer gave you affirmative consent, having a system or tracking that will give you the ability to go back and show the client exactly when and how they gave you consent for their personal data collection and storage.
Develop an incident response procedure in case of a data breach
Under the GDPR, personal data breaches need to be reported to a relevant data protection agency within 72 hours. If there is a high risk of your client’s data being breached, you must provide a disclaimer informing them of this.
Educate yourself and your business team about GDPR
The most important thing you can do for your business with GDPR is to learn as much as you can! It is always good to be well educated on mandatory regulations impacting your business in order to avoid issues. There is a lot of panic around GDPR, but if you know what to expect, you don’t need to be one of the businesses panicking!
***If you don’t know exactly what to put in your opt-in text, don’t worry! Next week, The Legal Paige will be sharing a free guide with phrases and disclaimers to use on your opt-ins! Stay tuned!