We've been hearing a lot about GDPR recently. In fact it's everywhere. My own inbox has been littered with emails from different companies, all talking about GDPR. But what is it, and why do I need to know about this for my interior design business?
What is GDPR?
GDPR is a new EU law, which comes into force on 25th May 2018.
GDPR stands for the General Data Protection Regulations. The aim of the legislation is to protect the personal data of individuals, and to make sure that any businesses that deal with people's data have the right permissions to do so.
What's this got to do with me? I'm an interior designer!
Every business that deals with the data of anyone who lives in the EU needs to make sure that they are compliant with the legislation by 25th May.
So if you run an interior design business, you are a freelance interior designer, or you run a related business, like a soft furnishings or painting and decorating business, and you gather data about people, you need to be compliant.
I don't live in the EU so it doesn't affect me, right?
Even if you live outside of the EU, the legislation still applies to you!
So if you have anyone from the EU visiting your website, where you have cookies installed (uh, that's most of us!) or you have EU members on your mailing list, you need to comply.
What does it mean by 'personal data'?
Personal data includes anything about a person. So that can be their name, their email address, their photograph and even their IP address.
It includes personal data not just about customers, but also about suppliers, former employees and so on. Basically, anyone whose personal data you hold.
I don't gather personal data about my customers so that doesn't affect me, right?
Even though you may not think you gather data about people, it is likely that you do! If someone visits your website, for example, it could be that your website stores a visitor's IP address (the unique code that tells you where the visitor is located).
Even if you don't look at this data, it's still there, and you still need to comply with the legislation.
What happens if I don't comply?
There is a lot of scaremongering out there about what will happen to you if you don't comply.
The official line is this: if someone reports you to the Information Commissioner's Office (ICO) for non-compliance, you could end up with a hefty fine. Fines are discretionary (so you may just get a warning at first) but fines can be up to 4% of turnover, or a maximum of 20 million euros.
However, in reality, there's not exactly a queue of people lining up to police what you're doing, so the chances of you getting caught are probably quite slim. And if someone does make a complaint about you, you are likely to get a warning first of all, especially if you have taken steps to try to comply with the legislation.
However, if you haven't taken any steps to comply, then you may not be treated as lightly. You really can't bury your head in the sand about this!
OK, I get it. I need to comply. So what do I need to do?
Let me give you a few pointers to get you on the right track. Please note that this advice does not replace legal counsel, and you should seek professional advice to ensure you are compliant. This is simply my own interpretation of what you need to do.
1. Hold a data audit
If you are not clear on what data you hold, it might be time to hold a data audit. Data includes information stored anywhere: on a computer, a phone, a cloud storage system or on paper.
Answering these questions can help:
- What types of data do you hold?
- Why do you hold this data?
- Do you need to store this data?
- How do you store this data?
- Do you have consent to store this data?
You should document what data you collect, how you collect and process it, and how it is stored and protected.
If you find that you are holding data which is unnecessary, or for which you have not obtained consent, you need to delete it.
2. Review your Website's Privacy Notice
If you already have a privacy notice on your website, that's a great start! However, you now need to check it to make sure that it is GDPR compliant. And if you don't have one already, make sure that you've sorted this out by 25th May!
A privacy notice tells your site visitors what sorts of data you collect, why you have collected it, how it is stored and how it is going to be used.
According to the ICO, your privacy notice must be "concise, transparent, intelligible and easily accessible ... written in clear and plain language... and free of charge".
To make your privacy notice easily accessible, most people place a link to it in the footer of their website. This link should be on every page of your website, every landing page and every opt in form.
To check that your privacy notice covers all bases, check out the ICO's checklist >here<.
No, we're not talking about biscuits...
Cookies are pieces of information that are stored on your computer when you visit a website. Cookies are used to gather information about a visitor, such as to identify whether a visitor has visited that website before, and they can be used to serve specific adverts to people, to 'remember' what was in their shopping basket and so on.
4. Obtain Consent
If you gather information about people (for example their name and email address) to put them on an email list, you must make sure that you receive consent.
According to the ICO, consent must be "freely given, specific, informed and unambiguous".
This means that someone has to actively opt in, with the emphasis being on the word actively. You know when some websites have a box which is already ticked, and you have to untick it to take your consent away? That's not going to cut it in the new world of GDPR. A tick box is fine, but it needs to be blank, and for the visitor to actively tick it to give their consent. A double opt in (where the visitor also has to go to their inbox and confirm their address is also a good idea).
There also needs to be a way for someone to remove their consent. Most email service providers deal with this for you, by giving an 'unsubscribe' link at the bottom of the email.
You may wish to check with your email service provider (e.g. Mailchimp, Convertkit, Activecampaign) to see how they are complying with GDPR.
So, if you run an interior design business, make sure that you get compliant by 25th May!
If you've found this useful, and you'd like to come and join our monthly membership, click >>here<< to read more about it.