Are you GDPR Compliant? Here’s an honest guide for small businesses.

Caroline Drake Latest News Leave a Comment

Have you heard many different stories about the new GDPR legislation from 25 May? I haven't known who to believe, so attended an excellent workshop with experts Clearview Consulting to find out more.

I have summarised the most relevant points below, particularly for small businesses who already do some direct marketing. However, I'm not an expert and if you have any questions (or your needs are more complex) then I recommend you speak to Clearview for expert advice or check the ICO website 

What do you need to know?

  1. Register with ICO. It only costs £35 for most small businesses and organisations.
  2. Data can be the following:
    • Names & addresses, emails, IP addresses.
    • Car Registrations
    • Financial Details
    • Health Information
    • Religious/political beliefs
  3. You must ensure it is held correctly:
    • Collected with consent
    • Used for a specific purpose
    • Kept up to date
    • Only held as long as needed
    • Held securely
  4. Consent is an important area for marketing. When you obtain consent, it must be clear (no 'untick' a box), and 'unbundled' for example:  in order to sign up for an ebook or offer,you can't ask for email newsletter sign up too. There's a checklist here to help. 
  5. New sign ups after 25th May must meet the new standards. You don't have to go back and reconfirm, but existing subscribers must have the opportunity to opt out.
  6. Delete information you no longer need. Create a written policy for how long you keep different types of data.
  7. Have a separate page on your website with cookie and privacy policies. Here's a nice example from The Guardian.
  8. You are either (or often both):
    • A Data Controller (gain & hold data)
    • A Data Processor (you're given data to work with)
    • If you're a Data Processor, your Controller should give you their GDPR requirements to work to
  9. Have a plan so know what you would do if you receive
    • an access request (all the data you hold on someone)
    • a data breach
  10. Make sure all your staff keep to your instructions and document their training.

Blossom takes data control seriously so be reassured we will be fully complaint by May. We hope this helps you do the same.