You probably have heard a lot of people throw the phrase ‘GDPR’ around recently, but what exactly does it mean?
GPDR simply stands for The General Data Protection Regulation which was proposed by the European Commission and is set to take effect on 25 May 2018 to replace outdated privacy laws.
By introducing the GPDR, the Commission hopes to strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU.
Any business that collects data in or from Europe, whether they are based in the EU or not, will have to comply with GDPR or face a hefty fine of up to €20,000,000 or 4% of global annual turnover, whichever is greater! The new regulations allow data users more control and easier access to personal information held by a business.
What is a data user?
Under the legislation, there are three types of data users:
A data controller is any organisation that keeps personal data on any EU data subjects – this could be employees, customers or prospects. A data controller is also an organisation that is responsible for deciding how the information and data is processed.
If an organisation uses a third party company to process or collect data but not contact the individuals directly, then the third party would be considered a data processor. If data processors make contact with data subjects they are seen as data controllers.
To be GDPR compliant, data controllers and processors must ensure an individual’s personal data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up-to-date or deleted
- Kept for no longer than is necessary
- Kept with appropriate security of the personal data, including protection against unauthorised or unlawful processing, or loss
Data Subjects – individuals
Individuals, whose data is kept by a business have certain rights under GDPR. These include:
- The right to be informed
- The right of access to their personal data foc
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability eg energy contracts
- The right to object
- Rights in relation to automated decision-making and profiling
We are ready
At Rawww, we have always been committed to protecting our clients’ data privacy and have continuously ensured we have business processes in place that are robust and responsible. We don’t consider the 25th May as a deadline, but instead see GDPR as an opportunity to empower our clients in having more control over their personal data.
As part of our preparations for the GDPR we have conducted data mapping of all client websites and email marketing across the business to ensure we are fully prepared for May 2018. Following the ISO’s guidelines, we have set up:
- Password Policy – All Rawww email communication is conducted via gmail and all Rawww employees have double-verification password protection on their accounts.
- Employee training – All Rawww employees are trained in data handling and sign up to Rawww’s GDPR code as part of their induction. This also includes password management, computer handling, paperwork shredding and security and email etiquette.
- Secure and regulated data platforms and server systems – All Rawww client projects are held and managed in a password protected, top tier cloud based project management system. This data will never be passed on to 3rd parties without permission.
- Supplier checks – All suppliers and third party cloud platforms have been contacted and requests made for GDPR and Data Protection Policies. Rawww will always endeavour to source the most credible and top tier suppliers and cloud systems.
- Data mapping of projects – All Rawww client projects are data-mapped and indicate where data is collected, stored and processed. This allows Rawww to clearly define its data processor role in relation to clients and the handling of their customer data.
- Marketing data confirmed – All data collected via new business enquiries is held in a top tier password protected management platform. This data will only be used to address the enquiry made and with permission may receive Rawww’s Good Stuff quarterly newsletter with industry insight. In addition, we are cleansing existing email lists to ensure only those who wish to receive content will be contacted.
- Data Protection Policy updated – We have added a GDPR code to our existing Data Protection Policy.
- GDPR email setup for GDPR communication and requests – We have set up a specific email account which will handle all GDPR communication and any data requests made.
Are you ready?
If you are struggling to get your head around the new regulations or are unable to find the time to ensure you are GDPR compliant by the 25th May, allow us to help. We are up-to-date with all GDPR regulations and can guide you through the necessary steps to take in becoming GDPR compliant. Working together, we can ensure you are GDPR ready by following our tried-and-tested method:
Email data cleanse – We will create and carry out an email marketing strategy to encourage existing customers or clients to confirm they would like to continue receiving content from you.
Why do I need to do this? Data subjects must give explicit permission to be on your data list and how they consent to their data being used.
Why do I need this? Data subjects must be made aware of how their data will be used, stored and managed by your business before they sign up to anything.
Ongoing support – We will provide you with ongoing GDPR support, helping to manage data requests and future GDPR updates to your marketing databases and strategy moving forward.
Why do I want this? Under the new regulations, data subjects will be able to make requests that you amend or delete their details from your list. Regulations can change as can your marketing!
What are you waiting for? Make sure you’re ready for 25th May 2018 and contact Rawww today!