Peter Savage, CEO of Azule, explains whether you should opt in or opt out of the current red tape nightmare facing businesses large and small.
No, this isn’t another Brexit referendum but I doubt whether any of you reading this are not affected, in some way, by the new European General Data Protection Regulation, commonly known as GDPR or, as I like to put it, the Great Deal of Political Redtape initiative that comes into force on 25th May this year.
Perhaps this last great European edict before Brexit will bring you some relief from the hundreds of emails that clog up your inbox; the telephone calls from people who have bought your name from spurious databases; the letters from mortgage, insurance, bridging finance and other sales teams wanting you to buy their products or services. Perhaps, thinking about it, GDPR is a good thing!
Yes, I come from a finance company and, yes, we are being regulated far more than a company selling widgets. But widget suppliers and suppliers of broadcast kit have to be equally careful about complying. If you have done nothing about GDPR then beware, as there are some swathing powers, and fines up to 4% of your company’s turnover to make sure everyone steps in line.
I’ll give you a few examples of to dos, and not to dos, so that you are at least aware of what is good practice and what is not.
The first thing to recognise is that the regulation applies to processing personal information or data. If you only deal with business information (for example, you sell electronic components to businesses that assemble equipment) then the regulation is less applicable. However, even within this second category, you can fall into the scope of the regulation if the business you deal with is a sole trader, a partnership or if the customer you contact is using his/her personal email address as opposed to an info@ email address.
It also applies to holding personal information. It is fairly obvious that, if the individual you deal with gives you his or her credit card details, then this comes into the scope of the regulation. Less obviously, if you deal with a company and the individual gives you his personal credit card information to cover, say, a hire and you ask for proof of ID, then all this information falls under the regulation.
In simplistic terms:
- the information/date you keep must be relevant and kept to a minimum;
- use of the information/data must be limited and specific and kept no longer than is absolutely necessary;
- the information/data should be kept secure (including not transferring information to countries that don’t operate at the same level of information/data security);
- the information/data should be accurate (do you regularly check your customers’ email details?).
So what should you do?
I could give you numerous examples of whys and wherefores but, again, in trying to keep things simple here are some pointers:
- information/data should be kept in secure places password protected if on a computer or in a locked cabinet or drawer;
- destroy the information once you have used it for example, if you have been given a customer’s credit card details do not keep them just in case you might need them again;
- you are allowed to call your customers about the operation of their accounts;
- you are not allowed to email customers about new products you may be able to offer unless the customer has opted in to receiving your communications, that opting in must be done before 25th May;
- you are not allowed to ask customers after 25th May if they want to opt in as that is technically a marketing email;
- if you are in the business of obtaining personal information/data, then all correspondence must have appropriate wording informing the customer that you have to hold the information and that they are happy for you to use it;
- information/data is deemed to be held if it is on your PC, on a third party cloud such as Dropbox, in an accounts system, on phones, in emails, on USB sticks, etc.
I know this sounds like common sense and that is the main point: if you recognise what is personal data, and you know that you have to be careful, then taking sensible steps should be enough for small businesses to keep themselves covered.
Try this. Look around you, while reading this article, and consider how much customer information is sitting within your eyesight, how much of that information is personal and/or could be construed as confidential. I’ve had to do it with my office, thinking: when I turn on my PC, do I have to log-in; do I leave my PC on overnight; does the cleaner have access to all secure rooms in the office; do we all lock our cabinets?
Don’t worry. I am not scare mongering; I’m just saying beware, because there is always someone who will complain and, if they do, you need to be able to explain what is your policy and who is responsible for it.. aargh, I feel like Charles Dreyfus, the police chief in The Pink Panther, being taken away in a straight jacket.
These are my personal views and should not be construed as legal advice. If you want to know more about GDPR, then look at the guidance on https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
If you want to know more about Azule, please look at our website: www.azule.co.uk