Due to ever increasing and recent high profile breaches of data use, the EU has brought in strict new data rules that come into effect on 25th May known as the European Union’s General Data Protection Regulation (GDPR). This basically deals with how you collect, store and use data for your business- be it a huge corporation, or a small livery yard. If you hold data of your client’s or employees- however minimal, and especially if you use these for marketing purposes in any way… this applies to you!
Up until now, there are very minimal rules for storage and accessibility of personal data such as email addresses, contact numbers, addresses, dates of birth and other personal data. With the increasing risk of fraudulant activity, unsolicited messaging and breaches of data, people want to ensure they know who has their data and what they are doing with it. As a business owner, it is your responsibility to ensure you meet the new rules that come in this month.
You may think this does not apply to you and is aimed at larger corporate business who hold huge databases and personal information- but it’s not! One of the main ways it may affect equestrian businesses is if you store peoples data or personal details electronically – such as a client list or mailing lists- you need to ensure you meet the recommendations for keeping these safe and secure, and limit the way peoples data can identify an individual. Most importantly you need to have peoples permission to keep any of their data (even if it’s just an email address), you must let them know how it will be used and let them know how they can request to view or remove this data from your database at any time.
The EU has substantially expanded the definition of personal data under the GDPR rules. To reflect the types of data companies now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information. Pseudonymised personal data- such as usernames- may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is. Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR- anything that can identify a person, their home, their contact details, their bank details, medical records and suchlike.
Another important factor to consider is if you use CCTV at the yard for security or workplace monitoring. Personal data refers to anything that can identify an individual, not just written information. This includes CCTV and employee monitoring, which will typically be considered high-risk activities. Employers are entitled to monitor employee activity, and many businesses use CCTV for security purposes, especially if premises are left unattended or run a high-risk business but they need a lawful basis to do it and they need to communicate the monitoring to employees and anyone who may be recorded at the premises. It is recommended that companies carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required and at what times and retain a record of this assessment.
The new rules also apply to those businesses that promote via mailshots, either using their own web server or via programmes such as MailChimp, and marketing via the telephone using calls or texts. If you don’t have peoples permission to store or use their data sending them unsolicited marketing by phone or email is one way to highlight that! From 25th May you need to have peoples permission to store their details in order for you to use them in any way- including sending marketing and communications to them. In effect, if you send any communications to anyone after this date, whose permission you don’t have you are breaking the law and they are well within their rights to report you fo breaching the use of their data.
- Carry out a data protection impact assessment (DPIA)
- Send out consent forms to existing client base and mailing lists to use and store their data.
- As of 25th May 2018 remove all content from your databases other than those who have given permission for their data to be used.
- Consolidate all your client data into one secure database.
- Limit those who can access the data to only those form whom it is absolutely necessary.
- Undertake staff training on new laws and processes for your business.
- Assign strong, unique passwords and enforce periodic password rotation.
- CCTV recordings must be stored securely and encrypted wherever possible.
- Add a clear and simple data policy to your website which can be easily found.
- Do not allow access to, sell or share the database with any third parties.
- Have the facility to send copies of your data held about them to the individuals at their request.
- Have the facility to remove data at the request of individuals.
- Delete data once the purpose of it is fulfilled.
There are various ways to get consent but it must be an active, affirmative action by the person, rather than the passive acceptance such as pre-ticked boxes or opt-outs. You need the person in question to submit their details and actively check or uncheck a box to confirm their consent. You could do this by a sign-up page on your website, by email, by post… as long as you receive the consent. You must also keep a record of how and when an individual gave consent, and advise the individual that they may withdraw their consent at any time and have their details completely erased from your records. It is ideal to refer them to the terms of your data use, or a data policy outlining how, where and when you will use their data. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model from when the new legislatiom comes in on 25th May 2018.
Failure to comply with these rules- such as sending unsolicited mail, or reported breaches of data, will result in hefty fines for those involves- up to 4% of annual turnover (£400 per £10,000 turnover). Even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents’ data, effectively replacing the Data Protection Act 1998. A Data Protection Bill, put forward by the UK government in August 2017, essentially replicates the requirements of GDPR into UK legislation, meaning those compliant with GDPR should be compliant with the new UK data protection law.
This can be a big upheaval for businesses who rely on web marketing using data they have collected over many years – it can potentially mean a loss of your databases and shrinking your marketing reach. However, by taking the steps to meet the new GDPR rules and advising your clients and potential clients of how, where and why you will use their data, they will have more respect for your company, be more aware of how you will use their data and, as long as you make it clear how it will be used, that is relevant and you are meeting the new rules, may even be good for business in the long run. It may be a good opportunity to dust off your database (some of which may be many years out of date) and start afresh with a database of current clients and, for marketing purposes, a list of people who genuinely want to hear about your business, and what you have to offer.
The changes in the law and the introduction of the GDPR are overseen by the ICO (Information Commissioners Office) who offer a specific toolkit and support for Small Businesses. If your business handles personal data, you may need to register as a data controller with the Information Commissioner’s Office. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO unless they are exempt. If you use CCTV at your business you must register, other businesses can use the Self-Assessment Tool on the ICO Website to see if they need to obtain registration. Registration is quick and easy and only costs £35 a year. Failure to register is a criminal offence.