GDPR is live: 4 things you should know
Edwin Meijer, marketing director at Garden Connect and guest author of this article has received a lot of questions from his clients about being compliant with GDPR. Therefore, he compiled the four most frequently asked questions and provided a comprehensive answer for each.
28 May 2018 | 0
The General Data Protection Regulation (GDPR) law came into effect on Friday, May 25. There is still a lot of confusion and hesitation around GDPR and what is required of garden centres and those with websites. To address the most common questions, Edwin Meijer has guest authored this article to try reassure and advise readers of the actions they should take.
Should I ask all my subscribers to opt-in again for my newsletter?
According to the GDPR, you should know from everybody in your e-mail database how and when they have given you permission to send them e-mails. It’s likely you threw away the old sign up forms from 2011 so in theory, the answer is: yep, you need to ask everybody to re-subscribe.
But if you think about this, why would you ask somebody who has been happily receiving your newsletter for five years already to opt-in again? Sounds a bit weird, doesn’t it? We have a more pragmatic approach. Ask yourself the question whether you have bought an email list or (more or less) tricked people into your mailing list. If the answer is no, from our perspective, you can continue sending out your emails. People can always unsubscribe anyway and they had the chance to do that numerous times.
However, if the answer is yes, you are violating the law already for more than two years now. This would be a nice moment to put everything in order and ask your recipients to opt-in again. We know some garden centres did something like this voluntarily and lost over 85% of their newsletter subscribers, so please only do this when you have messed up things in the past.
Data Processing Agreement
We have received a few hundred already, however, we are still not done with the data processing agreement. You should have a data processing agreement with all the companies that store or process customer data on your behalf. Like Garden Connect, your ePOS supplier and the marketing group you’re a member of, for example. But also don’t forget your bookkeeper or IT supplier.
The most asked question in regards to our data processing agreement is about security. We tell our clients we protect their data in a reasonable way. But what does that means? Hopefully, this example makes it clear:
A hospital holds records of their patients with sensitive, medical information and will have a stronger security layer than a loyalty card with the number of Elho containers a customer has bought. And Barclays Bank will have the financial records of their customers better secured than we did with our newsletter system (at least, that’s what I hope).
We ask ethical hackers regularly to track down any flaws in our security so I am happy to vouch for the fact that our system is as bulletproof as possible. However, you should put it all in perspective since we don’t hold any payment information, social security numbers or credit card details. So the need for extreme security is not there compared to your local hospital or GP.
But I can get a fine from the 26th!
Strange enough, the 25th of May is not a deadline for us, but a starting point. The GDPR forces companies to comply with several terms, but the most important one is the fact that “privacy by design” should become the company standard. This means that literally, everybody in your organisation should be aware of how you should process customer data. This means that after the 25th of May there is still enough to do!
But could you potentially get fined? Yes, you can. In theory. From our perspective the Information Commissioner’s Office won’t be looking directly at small and medium firms, so I don’t think there is a big chance you will get a fine straight away.
The new GDPR legislation started a process that makes companies more aware of how important privacy and security are. This is not something that has stopped now the 25th of May has passed, this will be an ongoing process.
If you will be selected for a GDPR check in the upcoming years you should be able to show what you did to comply with the GDPR otherwise you will be getting that fine. But that fine won’t be in your inbox the upcoming week.
Check your (online) security
In our webinars, we have talked about it a lot already, but security is really a magic word for GDPR. Let me give you an example to show you how quick you miss something.
During a meeting with a garden centre owner, we discussed GDPR and therefore spoke about security as well. This person secured his laptop with a proper password, great virus scanner and the internal company network was perfectly safe. Thereafter, he told me that he stores his daily backups on an external hard disk, at his home. So I asked him: if I can find a way to obtain that external hard disk I have all your data? Well, he has changed this now.
This example makes clear that you miss something in terms of security quite quickly. Think well about how you have managed your IT-security and get it sorted. An experienced hacker will be able to hack your systems if they really want, even if you have the latest, top of the bill security. However, if something like that happens we are pretty sure you won’t be fined. Just make sure you solve all the easy stuff yourself and prevent something like the example above.
The worst case scenario is to think GDPR is done and dusted since the deadline has passed. This is only the beginning and you will need to take it seriously.
NB. We’re happy to help you, but we’re no lawyers at Garden Connect. Please consult a legal professional if you’re looking for legal advice.