What is GDPR Privacy?

Maybe you’re vaguely aware that something’s happened; after all, you’ve almost definitely noticed all of the GDPR privacy emails flooding your inbox in May. These will be from companies needing permission to keep you on their subscriber list.

Despite having been many years in the making, GDPR actually only came into force on May 25th 2018 (around the time you were getting all of those emails).

GDPR (or the General Data Protection Regulation) is a new European privacy regulation, implemented in all local privacy laws across all countries in the EU and EEA. It applies to any businesses or companies that sell products or services to – and store personal information of – citizens in Europe.

And as long as you fall into the definition above, it doesn’t matter whether you’re located within Europe, or anywhere else in the world. This law still applies to you.

This new GDPR Privacy legislation is being introduced to give citizens of the EU and EEA more power when it comes to their personal data, and how it’s used. This applies to individuals, customers, prospects, contractors and employees in terms of control over their personal data. It also aims to take some power away from large organisations that use this data to make a profit.

It sets out to provide reassurance that their data is protected, secure and in safe hands at all times. This personal data could apply to any information related to an individual, including their name, email address, photo, social media updates – even a computer IP address, according to the GDPR Directive.

Under the GDPR Privacy, there’s also no distinction between personal data within a work environment, compared to a private or public environment.

Put another way: Are you collecting personal data? If so, there are now some very strict rules in place about how you store, manage, use, analyse and protect the data of visitors, clients and suppliers – and it’s your responsibility to ensure you’re compliant at all times.

What does GDPR privacy mean for you?

Firstly, don’t panic. Some companies can be fined up to €20 million for breaking the new legislation, however, I wouldn’t in my wildest dreams think over hefty fines are a real possibility for all businesses (besides, everyone will receive a warning first!).

That doesn’t make you immune, though.

GDPR Privacy is really just a way to ensure that everyone handles personal data considerately and responsibly. And if you’re already doing that to an extent, this is an opportunity to embrace the changes and ensure that you’re taking the very best care with your guests’ personal information.

For example, if you have an email list – whether it’s one you’ve built up over the years or purchased – you’ll no longer be able to keep that list and use it to send out marketing emails to potential guests, unless they specifically opt in to receive those emails.

This also applies to running competitions, or getting anyone to sign up to a list – you have to be specific about what you’re going to do with their data, and the kind of emails you’re going to be sending. You also need to start storing their consent so that you can present this if questioned.

Current customers are a bit more of a grey area, but it’s probably safe to assume that if someone registered with you more than a year ago, and they haven’t replied to any of your emails for the past year, it would be a good idea to remove them.

The main thing about GDPR Privacy is ensuring your data is up-to-date, accurate and consensual (in that people have consented for you to have it – and if they haven’t, your best bet is to delete it).

Steps to becoming GDPR-compliant

1. Conduct a data audit

The first thing I’d recommend doing is to look at the type of data you’re storing. This could be anything from names and email addresses, to postal addresses and payment details.

Sort and categorise this data, and determine if you actually need to store it. Carefully consider how you’re using it, and review how you store it. You should also review your security procedures and who else has access to this data – as well as why.

2. Run an email re-permissioning campaign

As I mentioned above, it’s vital to start storing the consent of those who are on your email list. This applies whether you’re storing the consent of new subscribers, or ones who signed up to your list five years ago.

Which means you’re going to have to send out one of those re-permissioning campaigns that everyone else was sending out recently. Sorry!

3. Ensure you’re compliant with individuals’ rights

GDPR privacy has been very specific when it comes to the rights of individuals and how their data is handled and processed. Therefore, you have to ensure that your processes are in line with the rights outlined below.

These rights are:

• The right to access
• The right to be forgotten
• The right to data portability
• The right to be informed
• The right to have information corrected
• The right to restrict processing
• The right to object
• The right to be notified

4. Draft up a GDPR privacy policy

It’s absolutely essential to display a privacy policy for anyone who is thinking of submitting their personal details – whether they’re interested in becoming a guest, signing up for emails, or any other reason, this should be displayed prominently online.

I’ve put together a checklist that should help when you are drafting up your GDPR privacy policy, as not everyone knows where to start.

5. Plan how you’ll handle data requests

You may be asked by an individual to update, delete, or send a copy of the data you have stored on them (as it is their right to do so).

You should have a process in place for how you will handle these requests within the relevant timescale of one month.

6. Determine how you’ll deal with data breaches

Despite our best efforts, data breaches can and do happen. But aside from taking all the standard precautions, it’s how you deal with them once they occur that really matters.

Start putting together a plan to pinpoint exactly how you’ll deal with breaches in data. These procedures should include detecting, reporting and investigating data breaches.

7. Check your lead data protection supervisory authority

If you’re operating in more than one EU member state (for instance, if you have a holiday let in the UK and one in France), it’s important to find out who your lead data protection supervisory authority is.

For more help and guidance, check out Article 29 Working Party which has really broken things down and made GDPR privacy guidelines much easier to understand.

8. Check out ICO’s code of practice

If you’re looking to read up on more GDPR advice from a good, reliable source, the Information Commission Office’s website has plenty of great resources that should help.

Key GDPR privacy resources to keep bookmarked

• ICO (Information Commissioner’s Office, UK): Preparing for the General Data Protection Regulation (GDPR) – ’12 Steps to Take Now’.
• The Full law text: GDPR, dated April 27th 2016
• European Commission Fact Sheet
• DMA UK: All the latest news, updates and webinars relating to GDPR
• Protection of Personal Data (via the European Commission)

In Summary

If you’re not GDPR-compliant yet, don’t worry too much – I’m sure you’re not the only one! The best way to look at it is to treat this as an opportunity to become better at dealing with your guests’ personal data and safeguard your business.

Work your way through the steps above, and don’t forget to check out the GDPR privacy policy checklist I’ve put together to hopefully make things a bit easier for you.