The new General Data Protection Regulation (GDPR) comes into force in May 2018 – that gives you less than two months to be ready for the new way you’ll have to collect, store and manage the data you collect.
What do I need to know?
- You are responsible for all the data you hold. That applies even if your data is held in a CRM system you subscribe to.
- ‘Data’ refers to anything that can identify an individual, and includes name, address, email, phone number, IP address, photographs, financial information and more.
- Data collection refers to the information you hold about anyone, including customers and employees.
- You have to store that data responsibly, including holding a current back-up of the data and securing it as far as possible against theft or loss.
- You can only hold data with your customers’ consent, and that consent must be actively given – no more opting-out on your website – only very clear opt-ins.
- You must be clear and transparent about what you are doing with the data, where you are holding it and how you are protecting it.
- You must not use data for any purpose other than that which your customer gave permission for.
- If a customer asks to view, change or delete their data, you must do so, unless there’s a clear reason for refusal – and that reason must be one of the reasons allowable under GDPR.
- You must also document all requests by customers about their data and your response to those requests.
What do I need to do?
- Look for somewhere near you that is offering GDPR help. If you have an HR department or outsource your HR, the professionals there should be able to give you guidance. Local networking groups or HR consultants may also be putting on dedicated training days or presentations that will help.
- Talk to your IT support or IT department – you will need to make sure that your systems are up-to-date and secure and that you have the facilities to store data properly and make regular back-ups.
- Put together a policy that covers how you are collecting, storing and using data.
- If you are a large retailer, you might need to appoint a Data Protection Officer to take responsibility for the data within your business.
How do I find out more?
The best place for full information is the Information Commissioner’s Office (ICO). The ICO will manage and regulate GDPR and has lots of information and resources to help you understand what you do and do not have to do. Make sure you seek out professional advice – Modulus Retail is not a GDPR adviser or expert.