Is your business GDPR compliant?
Unless you've been hiding under a rock lately, you have probably heard about the GDPR.
The GDPR is the General Data Protection Regulations that are coming into effect for people living in the European Union (EU) beginning Friday, May 25, 2018.
Here is what you need to know*:
What is the GDPR?
The General Data Protection Regulation (GDPR) is regulation in EU law on data protection and privacy for anyone living in the European Union. (Which countries make up the European Union? Click here). The regulation also addresses the export of personal data outside the EU - so, wherever you live. The GDPR gives control of their personal data to the citizens of the EU. They have the right to know who has their data, why they have it, what they are doing with it, who they are sharing it with, and how to access it and delete it.
The GDPR actually came into being in April 2016, but there has been a two-year transition period in place. It becomes enforceable on May 25, 2018.
Why is it important?
The GDPR is important to residents of the EU because of the rights they will now have regarding their own personal data worldwide. It is important to those outside the EU because if you are collecting, processing or holding the data of someone in the EU and they have not consented for you to have it or use it, you could face stiff fines (up to $20 million pounds or 4% of your company's worldwide income). This is a law, and it is enforceable, so that is what makes it so important to understand.
What kind of data is included?
The regulations include what is called "Personal Data". Basically, the main purpose of the GDPR is to protect the personal data of EU citizens. Personal data is anything that is identifiable to a specific person. It's not just about email addresses. It's about IP addresses of computers, names, addresses, credit card information, and more.
How will it affect my business?
If you are not connecting with or marketing to residents of the EU, you could be safe. However, this doesn't mean that you have EU customers. This includes your customers, your email subscribers, your website and blog visitors, anywhere you have contact with EU citizens is affected. If you are using custom audiences for your Facebook Ads, you will need to be sure your mailing list knows. And if you are using Google Analytics or Facebook pixels on your website, you are collecting cookies and that needs to be made compliant (for EU citizens) as well.
The GDPR regulations are for data processors and data controllers. , etc. the basis of the GDPR is that it includes data processors and data controllers. The official definitions of these two are:
Data controller: Article 4 (7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Data processor: Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data controllers are you, and anyone else who works within your company who has access to the data that is being collected.
Data processors are the businesses or services you might use to process the data that is being collected.
Simple example: If you have an opt in on your website, and you use Aweber as your email service, and you have Google Analytics activated on your website, YOU are the data controller. Aweber and Google Analytics are the data processors. Make sense? So your data processors are your ecommerce/bookkeeping systems (or services), your email system, etc.
What do I need to do to comply with GDPR?
Review your processes and update as necessary:
- Maintain records of the data you are collecting and processing (or having processed on your company's behalf).
- Make a list of those who are processing your company data for analytics, mailing lists, marketing, payment processing, online storage systems, web hosts, website, etc.
- Ensure that you have proof of consent for personal email data (ie mailing list). If you can't prove consent, obtain fresh consent.
- Implement a system for people to choose the way you can use their data (ie allow them to opt out of any and all forms of retargeting, marketing, segmentation, and communication).
- Develop a plan to remove stale data from your company's records.
- Be certain that your business's data processors are GDPR compliant.
- Educate your employees, subcontractors and partners on your procedures if they are handling your data in any way, or provide a Code of Conduct for them to adhere to.
- If you do use analytics or a Facebook pixel, install a notification (pop up) to tell people their data is being collected when they visit your site.
- Ensure that your contacts are able to contact you easily if they have they questions about their data that you may be in possession of, or request for their data to be deleted from your possession ('the right to be forgotten').
- Develop a system to handle a data breach, should it occur.
Get more information:
If you want the whole shebang in plain English, this is the best article we have found to explain it clearly: Varonis (Michael Buckbee): GDP Requirements in Plain English
Suzanne Dibble is a UK lawyer who provides excellent information about GDPR compliance. She has a free checklist here: http://globalava.org/gdpr . She also runs an excellent GDPR specific Facebook group (download her checklist to get an invitation to join it), where you can get specific help. She also sells a GDPR Compliance Pack that provides all the forms you might need to become compliant, if you want a handy little package (the webinar is very helpful too!)
The Bottom Line:
Whether you are actively marketing to EU citizens or not, these are good changes to make to your business. It probably won't be long before something like this is rolled out by other countries as well. Data protection is a huge topic of discussion in all areas of business. Don't avoid the whole thing and hope you don't get caught. Do what you need to, to become compliant. Know what data you are collecting, develop good procedures to handle, process and store it, and make sure your connections know that too, and you'll be just fine.
Disclaimer: The Global Alliance of Virtual Assistants (GAVA) is not an official GDPR resource. GAVA is a educational website and blog, and the information contained within this site in no way constitutes legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice as required to become GDPR compliant.
*Article sources: Suzanne Dibble (UK Lawyer), Information Commissioners Office (ICO), Varonis Systems Inside Out Security, Europa EU, Wikipedia (definitions),
About the Author: Tracey D’Aviero is a Virtual Assistant Coach, Trainer, Speaker and Author. After operating a busy VA business of her own since 1996, Tracey began teaching others to run their VA businesses in 2010 through Your VA Mentor. In 2016 she purchased the CAVA and GAVA VA associations and now teaches and coaches VAs exclusively. She has a vast amount of experience working in a many different industries which helps her to offer her students and coaching clients a unique perspective and sound advice. She is a proud advocate of the Virtual Assistant industry. Learn more about Tracey’s journey in the VA industry here.