GDPR will impact businesses of all sizes, from sole traders to multi-national organisations. We’ve been talking to a wide range of business owners this year and wanted to share the questions that are most frequently asked.
I’m starting to worry that my business is not GDPR-compliant. What do I need to do?
First – don’t panic! Our easy to follow GDPR customer journey* will help you identify what stage your business is at in its journey and what needs to happen to become GDPR compliant.
Next, think about the personal data that you hold and begin to map how it comes into your business. Once you have identified all sources of data entry, you then need to consider what happens to the data – how is it moved around your business and where the data is stored? As you are conducting this ‘mapping exercise’, it might help you to think about how easy it would be to get hold of the data if a subject access request was received.
Don’t forget – your employee or potential employee data. When recruiting, how does your business dispose of your unsuccessful applicant personal data? Employers also need to ensure that all of their employees understand the impact of GDPR and attend training if required.
We use our client database to stay in touch with people and send updates about our products and services. Can we still do this?
That depends on whether you are marketing to other businesses or individual consumers. The rules are less strict when marketing to businesses, and you may not need consent to continue marketing to business clients.
When marketing to consumers (including sole traders and some partnerships), the rules are stricter. You either need to have consent from them in a way that complies with GDPR, or rely on the “soft opt in” process (where you are marketing similar products to existing customers and always give the option to opt out of such emails).
If you already have GDPR-compliant consent, you don’t need to ask again. Explicit consent is not just a tick-box exercise – you need to ensure that your contacts have clearly signed up to receive your updates and that they know what to expect from you.
If you want to send them different types of information, you need to be clear what they are signing up to receive – for example information about your events, new product launches or your monthly newsletter? If you are contacting your client to provide an update as part of their contract with you, for example you offer accountancy services and need to alert them that tax rules have changed – you can do this as part of your service to them because there is a legitimate reason for you providing this information.
I run an SME – is it right that I don’t need to appoint a Data Protection Officer (DPO)?
Not strictly! Whatever the size of your organisation, if one of your core activities is processing customer data, you need a DPO. If your organisation doesn’t require a DPO, it’s important that you record the decision-making process for audit purposes; you may wish to appoint someone who will carry out the role on a voluntary basis and who would handle any subject access requests.