Sookio

View Original

GDPR: Get on top of data protection

Read our guide to data protection reform and find out what steps your business should take to be fully compliant.

If you’re a business owner or marketer, you’ll have heard about something called GDPR. Perhaps you’ve heard talk of eye-wateringly large fines being issued if your company is not compliant. You may be starting to think, “Er, I really should be doing something about this.”

So we’ve put together a handy guide to GDPR to explain what it is, why it’s important, and the steps your business can take to make sure you stay compliant.

We’ll also explain what we’ve done here at Sookio so you can see the practical steps we take ourselves to protect personal data.

OK. So what is GDPR?

The General Data Protection Regulation is one of the world’s strictest data protection laws.

It requires every organisation that offers products or services to EU citizens or handles their data to adhere to a strict set of data privacy and security measures.

Why was GDPR introduced?

The main aim is to help citizens of the EU keep control of their personal data.

As you’ll know if you’ve ever ended up on some dodgy mailing list with no idea how you got there, your personal data is something of value. Privacy is becoming ever more important and we need to be able to protect our digital lives.

For businesses – particularly those operating across borders – GDPR offers a core set of rules that everyone can work to across the EU.

It ensures consistency around data protection laws, so it’s easier for businesses to make sure they are doing it right.

What do we mean by data, anyway?

What we’re talking about is any information that can be used to identify someone.

This could be a name, address, date of birth or other factors pointing to their physical, genetic, mental, economic, cultural or social identity. Along with IP addresses, user IDs, GPS data and cookies.

The ICO has a handy infographic outlining its own data policy. It represents the current level of transparency and clarity businesses should aim for:

To whom does GDPR apply?

Organisations operating within the EU who process data, and those outside who offer goods or services to individuals in the EU.

But didn’t we leave the EU? Why do we need to bother?

Woah there! You’re not getting away with it that easily. British businesses are still subject to GDPR law, so it’s important to adhere to all the rules and regulations.

How big are the fines if we don’t comply to GDPR?

Get ready for this. Under Article 83(5), serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue. Whichever is higher.

For less serious infringements we’re talking €10m or 2% of global turnover.

This is a LOT of money to give away!

Since GDPR was launched in May 2018, there have been several high-profile fines issued to companies across the UK and European Economic Area (EEA).

  • Google was one of the first companies affected, with a £43.2m fine issued in 2019 due to poor access to information around consumer data processing.

  • Retail giant H&M was fined £32.1m in 2020 after it was found employee data collected by the firm violated the GDPR rules.

  • The same year, British Airways faced a £20m fine after its web users were directed to a fake website following a data breach.

So is it only for big businesses and not SMEs?

It’s for everyone. So, if you handle personal data about your customers – perhaps you buy and sell products online, you’ve developed an app for people to track their diet or fitness, or you’re a charity with a large mailing list – then you’re going to need to sharpen up your approach.

How is GDPR enforced? How will they know if you’re breaching the law?

Anyone who has suffered damage for unlawful processing of their data is entitled to receive compensation.

So you could potentially be reported if there’s been a data breach or someone suspects you have not handled their data correctly. You would have to prove this is not the case.

What is a data breach?

It’s more than just losing personal data. It can be the destruction, loss, alteration, unauthorised disclosure of, or access to the data. The Information Commissioner’s Office provides additional guidance on what constitutes a data breach under GDPR law.

A good example is Ashley Madison, the marital affairs website who suffered a cyber attack leading to details of 33 million users being published online – even those who had paid an extra fee so the data would be deleted. The company was fined $1.6m for failing to protect their users’ data.

So what are the key principles of GDPR?

It’s all set out in Article 5. Personal data must be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals

  • collected for specified, explicit and legitimate purposes

  • adequate, relevant and limited to what is necessary

  • accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay

  • kept in a form which permits identification of data subjects for no longer than is necessary

  • kept securely.

What are individuals’ rights when it comes to their personal data?

  • To be informed

  • To have access

  • To rectification

  • To erasure

  • To restrict processing

  • To data portability

  • To object

  • Plus rights in relation to automated decision making and profiling.

Who is responsible for all this?

You are. You also have to be able to demonstrate compliance with the principles.

How can you demonstrate you comply?

There are several things you can do to show compliance. Firstly, put in place technical and organisational measures. These could be:

      o   staff training
      o   internal data protection policies
      o   internal audits of processing activities
      o   reviews of internal HR policies

In addition, you can show further commitment to staying GDPR compliant by ensuring you:

  • Maintain relevant documentation on processing activities

  • Appoint a data protection officer

  • Minimise the amount of data you collect

  • Continually review and improve security features

  • Explain clearly and concisely to customers how you will be using their data

  • Get their consent – and keep a record of this!

  • Give notice if the data will be used by third-party applications

GDPR compliance has become integral to the way companies do business. At Sookio, it’s something we keep in mind when we’re working with clients and organising our own data management.

8 steps to ensure data compliance

When GDPR first came into effect, my first thought was that as a digital marketing agency it wouldn't affect us too much. We never pass on data to third parties and we don’t do any online transactions.

And then I remembered; email marketing! Ah. We manage our own list and those for clients, so this is a big concern. We also keep all our clients’ details in our accounts and CRM system; this is all completely private, but it still means we’re processing and storing data.

These steps help us stay on top of GDPR, and can also help yo:

1.     Ensure your team understands what GDPR means and its implications. Explaining how much is at stake - both financially and reputationally - will help your team take it more seriously.

2.     Know all the data you’re collecting and document it. Only collect data that’s required. What are you storing? How long will it be stored for? Where are you storing it? Knowing the answers to these questions helps show you are making every effort to stay compliant.

3.     Review and update your public privacy policy to make sure it explains clearly and concisely what you do with the data you hold. Take a look at the essential information on the Privacy notices, transparency and control page on the ICO website and use it to guide your own policy.

4.     Review your procedures to make sure they cover the rights of individuals. Can you erase personal data if someone requests it, for example?

5.     Be transparent about data collection. Make sure your customers know exactly what data you’ll be storing about them.

6.     Keep up high levels of password security to help avoid data breaches. We currently use a password manager to generate unique passwords and keep them secure. Avoid the temptation to use the save password across different channels, and get into the habit of changing them when a member of staff leaves.

7.     Only run mailing lists with emails that have ‘opted in’. For example, if you’re running a Mailchimp newsletter, people will need to verify (via a form on your website or another signup link) that they want to be added to the mailing list. This is crucial as it involves not only access to data, but storing it in a third-party platform, so clear consent is essential.

8.     Revoke access for all apps that are no longer essential. While you’re at it, check who has admin rights too, and delete anyone who doesn’t need to be there. Give it all a spring clean.

How can we help?

If you would like help with any aspect of digital marketing, whether it's improving your email marketing performance or building strong relationships with your customers, just get in touch!