So the boss ‘invited’ me to write a blog about GDPR, that was nice, I thought to myself, then I went into panic mode and thought, what if I get something wrong? I’ll be lambasted, humiliated by anyone and everyone who claims to know everything about GDPR. Then I realised I probably feel exactly the same as anyone who has some sort of responsibility for GDPR Compliance and is doing this for the first time.
GDPR 2018
The Stimulus Journey to GDPR compliance started in January 2018, we don’t process much data, we looked at our current retention policies and thought ‘yayy’ our work here is done. However, as a responsible organisation, the boss had identified a training course that would help us check we had done as much as we could do, it was a 1 day course hosted locally in Bristol. I went along feeling quite comfortable with the steps that we had taken. At the end of the day I left having passed a relatively simple multiple choice exam paper and was now a Certified GDPR Foundation person!
The trouble is (in a good way), I left with so many questions for the team back in the office, I spoke to the boss about my experience and got my revenge by suggesting that she would benefit greatly by attending the same course. This wasn’t the vindictive part of me kicking in (not totally!) but one of the things I felt from the course was that everyone had an opinion on how they think we should be compliant and it would be good to have someone else’s opinion (in case you hadn’t worked it out, every one in every office has an opinion, regardless of whether or not they have any experience in the DPA or GDPR!).
So, the boss attended the course and she too came away with many questions about the steps we needed to take. How long can we keep emails for? What do we do with old CVs? Do we process any special category data? What about phones? Our CRM….? This list was getting longer and longer.
I volunteered (before I was volunteered) to attend a follow on course aimed at preparing people to fulfil the role of Data Protection Officer(DPO) it was 4 days of slides, exercises, scenarios, discussions, questions, panic, hot sweats, questions….So many questions.
Throughout this journey It’s been a game of buzzword bingo. Compliance, Risk, DPIA, Privacy Statements, Articles, recitals over and over again. Where do I start? I was lying in bed at night trying to work all of this out!
Luckily for me I spent some time in a previous job working with Risk, Physical & Personal security, it seemed that a Risk assessment was the logical place to start, What do we do, Who does it, How do they do it, Who do they share it with once they have done it.
Get everyone involved in GDPR, and make sure you record it as an activity
We started to document our processes and understand what everyone in the team does, from that document we highlighted our biggest risks (turns out that on an irregular basis we may be asked to process some Article 9 compliant data, this was in a very specific part of the business and it wasn’t until we asked everyone to think about what they do that it came to light. That’s my first top tip, get everyone involved in GDPR, and make sure you record it as an activity.
My initial reaction when I first started to understand our business processes was to shut everything down, make it extremely secure and that way the chances of there being any type of breach were being massively reduced. Many discussions took place in the Office and we realised that were we to do this, the business quite simply would struggle to function!
GDPR Compliance
I had a couple of questions that I just wasn’t able to answer and every discussion that I had with other members of the team led to different suggestions, recommendations and in some cases disagreements (everyone has an opinion on how we should become GDPR compliant, even if they couldn’t tell me what GDPR stood for!). The ICO has a telephone helpline for small businesses to call and discuss their GDPR concerns (0303 123 1113 Option 4). I called them and had a really great conversation with a member of their team and explained my concerns and the possible different options. The team member I spoke to listened to my problems and solutions and then in a very nice way commented that “we may be doing far too much” based on the amount of data we process and the perceived risk to that data.
That was my lightbulb moment with GDPR, clearly we have to take steps to be compliant, our processes aren’t any different to what they were under the DPA but it was a really good opportunity to review and update them where required. My draconian ‘shut everything down’ and don’t let people do anything with data was clearly not the best way to do things, now we are using something called ‘Common Sense’. We’ve analysed the risk, we’ve minimised the risk as far as is practical to allow the business to function, we have recorded the risk, identified any training that is required as a result and then documented everything!
I’ve seen a concerning rise in the number of companies who seem to be able to offer ‘solutions’ to your GDPR issues, this concerns me for a couple of reasons, GDPR is not the same for every organisation so I don’t understand how they can sell a one solution suits everyone type package. There are companies selling apps to install into your CRM to be GDPR compliant, this, rightly or wrongly makes me chuckle as they are getting you to install a 3rd party package, share your data with them and this will help you become more compliant. I have to be honest I am not sure how that works!
FAQs
Q. If someone gives me their business card, can I call or email them?
A. Of course you can, business needs to continue! We hand out our business cards because we want to be contacted!
Q. Can I add someone to my newsletter if I have their business card?
A. No. If you want to email them direct, of course, that’s what they gave you the card for. They didn’t give you permission to add them to your company mailing lists!
Q. Do I need to ask permission to add someone to my newsletter email?
A. Yes. And you need to ensure that there is an opt-out link included in the newsletter so that they can unsubscribe should they wish to.
Q. Do I need to ask permission to send my newsletter to someone already on my list?
A. In time you do need to, but the reality is a little bit different. If you include an unsubscribe link in all your newsletters, which you were doing anyway (weren’t you?), the recipients are being asked each time you send them your newsletter if they wish to continue receiving it and are being provided with an easy means to opt out. So, unless you would like to use GDPR as a reason to contact all your list recipients, you shouldn’t need to.
Q. Can I make a marketing call to a phone number on a company website?
A. Yes. The number and email address on websites are related to the company, not an individual. That’s one of the reasons why it’s good business practice to use role email accounts such as sales@ and info@ on websites and other publicly available company information.
Q. Does GDPR apply to my business?
A. Yes, regardless of your size!
Finally, I would strongly recommend that you visit the ICO website and look for resources there before you reach out to external organisations! (https://ico.org.uk/for-organisations/)
GDPR Compliance doesn’t need to cost a fortune!