Ok, hands up. Honestly. Who knew about the new European privacy regulations and what they meant for you and your company, let’s say, 6 months before the deadline? How about 3 months? 1 month? The week before? The morning of May 24th?
I’m sure for a lot of people, they heard that something was changing, but as with so many regulations and little legal bits and pieces that are constantly changing for all types of businesses in the UK, they just thought, hey ho, I don’t need to worry about this. It’s not going to change anything for me.
It changes everything.
Now let me get something straight. For 99.99% of people and businesses, compliance with GDPR was already there. You weren’t taking and holding more information than was required from your customers. You weren’t using it for marketing purposes. You weren’t sharing it with any third party providers.
What you didn’t do however is write an exhaustive document detailing that you didn’t do these things, and stating exactly what you actually did do with the data. Nor did you make it clear to people that they could contact you at any point and have that data deleted, unless it stopped you from providing an ongoing service or if you were required by law to keep it. (If you did do this, then good on you! You passed GDPR!)
For you, GDPR was about registering with the ICO (which costs you £35 by direct debit, or £40 by card and is, in almost all circumstances, required), and then writing a load of documents and plastering them on your website and in your company offices.
It’s the equivalent of showing your working out in maths. Even if you get the answer correct, the examiner demands you write down how you got there, and will fail you if you do not.
Now obviously, for that remaining percentage of companies who were either a) doing a lot of marketing, using third parties, were larger companies etc. or b) were being very naughty with your information, GDPR was much more complicated.
Yet it was interesting that the main coverage on GDPR came onto the main media outlets THE DAY BEFORE the rules were coming in, which incited a lot of panic amongst people and companies who were either unaware of the new rules, were unaware of the date they were due, or were struggling to be ready in time.
For us, we had contacted a number of our clients who we knew would be affected by the new rules coming in and offered to give them a hand. That’s why, on the 4th of May, I found myself travelling to Coventry, on a relatively nice day, on my motorbike, at 0630 in the morning. 120-odd miles later, at 0900, I was there and raring to go, with a GDPR checklist at the ready.
My trusty steed
I think they wanted to throw me out by 0930.
This was a company that had been around for more than 30 years and took pride in providing a friendly and easy service to their customers. This was more than evident as they had over 1000 hand-written thank you letters. On their walls. With customer names and addresses on them in full view of anyone walking around their showroom.
Now every single person who had written those letters, some dating back to the early nineties, had given their permission for them to be used in that way. But were there any records of this? No. So by GDPR rules, the company would have had to make their best effort to contact each of these customers, explained what information they currently held on them and what it was being used for, and that in their cases, it was on view to the public in their showroom. Alternatively, they could take everything down before the 25th May deadline and tell the individuals that their data was now stored securely.
Or, they could do what they ended up doing, and taking a pair of scissors and a marker, and individually removing all personal information from each individual letter.
What some think of GDPR…
What others think of GDPR…
In the end, I was in Coventry for just over 5 hours helping our client go through all aspects of their processes, data retention and privacy policies, before spending another 3 hours on the road back to Dereham. I can neither deny or confirm that I got lost somewhere in the Cambridgeshire Fens due to a few accidents on major highways, nor that I had to ask a random man who was fettling a Subaru with a huge rear wing for directions. Thank you, random car-tuning man.
To sum up, GDPR is here, and it isn’t going away. Failure to register with the ICO when you need to can lead to an instant £5000 fine. You can find out if you need to register HERE – a quick tip though, if you have CCTV on your premises, you need to register, simple as. The fines for GDPR non-compliance can be up to around £17,500,000 or 4% of your annual turnover, whichever is higher. For a small company, getting caught and fined is almost certainly going to put you out of business, so it is essential that you ensure your company is GDPR compliant. However, DO NOT PANIC – as long as you take an organised approach to this, you will almost certainly find that you are doing a lot of things correctly already and don’t actually need to change much.
Just remember to show your working out before giving the final answer.
Need some help with your GDPR compliance? Drop us a line on 01362 851118 or email firstname.lastname@example.org – we’re here to help!