What is GDPR and How Does It Impact Your Business?

What is GDPR and How Does It Impact Your Business?

Post summary:

  • What is GDPR?
  • The business implications of GDPR
  • The impact of GDPR on customer engagement

The internet has dramatically changed the way we communicate and how we handle everyday tasks.

We send emails, we share documents, we pay bills and we purchase goods by entering our personal details all online and without a second thought.

Have you ever stopped to wonder how much personal data you have shared online?

Or what happens to that information?

We’re talking about banking information, contacts, addresses, social media posts, and even your IP address and the sites that you’ve visited are all stored digitally.

Companies tell you that they collect this type of information so that they can serve you better, offer you more targeted and relevant communications, all to provide you with a better customer experience.

But, is that what they really use the data for?

This is the question that has been asked and answered by the EU, and why in May 2018 a new European privacy regulation called GDPR has been enforced and permanently changes the way you, as a business, collect, store and use customer data.

In a study of more than 800 IT and business professionals that are responsible for data privacy at companies with European customers, Dell and Dimension Research found that 80% of businesses know few details or nothing about GDPR.

But, perhaps worst of all is that 97% of companies are not prepared for when GDPR kicks off  (Tweet this!).

Is your organization prepared for GDPR and the May 2018 deadline?

Of course, we can understand if a small brick and mortar store is finding it difficult to prepare for GDPR, but the latest research from The Ponemon Institute found that 60% of tech companies aren’t’ ready either.

So, whether you’re in tech, travel, retail or an entrepreneur, we will explain what is GDPR, how it will impact your business and include practical tips on how you can start preparing for GDPR.

What is GDPR?

On May 25, 2018, the new European privacy regulation called The General Data Protection Regulation (GDPR) came into effect.

This regulation has been implemented in all local privacy laws across the entire EU and EEA region. It will apply to all companies selling to and storing personal information about citizens in Europe, including companies on other continents. It provides citizens of the EU and EEA with greater control over their personal data and assurances that their information is being securely protected across Europe.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

There is no distinction between personal data about individuals in their private, public or work roles – the person is the person. Also in a B2B setting, everything is about individuals interacting and sharing information with and about each other. Customers in B2B markets are obviously companies, but the relationships that handle the business topics are people – or individuals.

Under the GDPR, individuals have:

  1. The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
  2. The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
  3. The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
  4. The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
  5. The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
  6. The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
  7. The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
  8. The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

The GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more power over their data and less power to the organizations that collect and use such data for monetary gain.

The Business Implications of GDPR

This new data protection regulation puts the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations.

In short, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.

All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.

There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.

The Impact of GDPR on Customer Engagement

The conditions for obtaining consent are stricter under GDPR requirements as the individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.

This means you have to be able to prove that the individual agreed to a certain action, to receive a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.

GDPR changes a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. In order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email.

Organizations must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reporting information that details what the contact opted into and how.

If you purchase marketing lists, you are still responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.

In the B2B world, sales people meet potential customers at a trade show, they exchange business cards, and when they come back to the office, they add the contacts to the company’s mailing list. In 2018, this is not possible anymore.

Companies will have to look at new ways of collecting customer information.

Preparations for GDPR-compliance

A key component of the GDPR legislation is privacy by design.

Privacy by design requires that all departments in a company look closely at their data and how they handle it.  There are many things a company has to do in order to be compliant with GDPR. If you have yet to to take the next step towards compliance, here are just a few ways to get started.

1. Map your company’s data

Map where all of the personal data in your entire business comes from and document what you do with the data. Identify where the data resides, who can access it and if there are any risks to the data. This is not only important for GDPR, but will help improve Customer Relationship Management.

2. Determine what data you need to keep

Don’t keep more information than necessary and remove any data that isn’t used. If your business collects a lot of data without any real benefit, you won’t be able to do this in a GDPR world. GDPR will encourage a more disciplined treatment of personal data.

In the clean-up process, ask yourself:

  • Why exactly are we archiving this data instead of just erasing it?
  • Why are we saving all this data?
  • What are we trying to achieve by collecting all these categories of personal information?
  • Is the financial gain of deleting this information greater than encrypting it?

3. Put security measures in place

Develop and implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur.

Make sure to check with your suppliers also. Outsourcing doesn’t exempt you from being liable. You need to make sure that they have the right security measures in place also.

4. Review your documentation

Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data. Pre-checked boxes and implied consent will not be acceptable anymore. You will have to review all of your privacy statements and disclosures and adjust them where needed.

5. Establish procedures for handling personal data

As we mentioned earlier, individuals have 8 basic rights under GDPR.

You will need to establish policies and procedures for how you will handle each of these situations.

For example:

  1. How can individuals give consent in a legal manner?
  2. What is the process if an individual wants his data to be deleted?
  3. How will you ensure that it is done across all platforms and that it really is deleted?
  4. If an individual wants his data to be transferred, how will you do it?
  5. How will you confirm that the person who requested to have his data transferred is the person he says he is?
  6. What is the communication plan in case of a data breach?

Conclusion

Data is a valuable currency in this new world.

And while GDPR does create challenges and pain for us as businesses, it also creates opportunity.

Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle build deeper trust and retain more loyal customers.

When first announced in 2016, it felt like there was plenty of time for new businesses to take the necessary steps. But, this time has flown by and many companies are still scrambling, even after the deadline has passed. So, if you haven’t already started your journey, we urge you to start now.

Dedicate time to understand what you need to do in order to become compliant and use the practical tips shared in this article to help you get started. Then, create a plan of action for your journey to GDPR so you can ensure you and your business are complaint sooner, rather than later.

How will GDPR impact your business?

Let me know in the comment section below.

P.S. If you’re interested to know more about how GDPR affects your customer data, then contact us today.

GDPR for Customer relationships

Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

CRM

About Jennifer Lund

Jennifer Lund

Jennifer Lund is the Chief Marketing Officer (CMO) at SuperOffice. A strong believer in the synergy of branding and marketing as the cornerstone of a successful business strategy, Jennifer is passionate about taking the company’s brand identity to new heights, by focusing on how the application of the brand and modern marketing trends can elevate the overall customer experience.You can connect with Jennifer on Twitter @jenniferlund.

106 Comments

Piason Viriri

about 1 year ago

good material on GDPR.

Reply

Ishmael Turay

about 1 year ago

GDPR is a very important strategy for business people as the world is now governed by entrepreneurs

Reply

Sonal Patil

about 1 year ago

Thanks for sharing such useful information about GDPR, It gave me ideas for customer retention.

Reply

Kaminska Zakrzewska

about 12 months ago

Nice write up on GDPR. Thanks for this comprehensive information. Loved it!

Reply

Debbie

about 10 months ago

If a company holds a private contact list which is only used when there is need to contact an individual, does this come under the GDPR regulations? The list is held digitally but is not used for any marketing purposes or automatic processes. Despite looking I can find no reference to private lists and you thoughts would be helpful.

Reply

Steven MacDonald

about 10 months ago

Great question, Debbie! If your private contact list includes customers, then it should be compliant with GDPR. But if they are not customers, you will most likely still need to get their consent to store the data.

Reply

Usama NabiL

about 10 months ago

So, I got a question.. what if I am an outsource handling customers' interactions which includes my team accessing customer's private personal and financial data - Yet, I access this data through my client's system that I just got an access on it. I don't host system, I don't host servers. As well as, I don't store or backup data.. Am I still obliged or that falls under complete ownership of my client and I shouldn't change anything of what I am doing? Thanks

Reply

Steven MacDonald

about 10 months ago

Thanks for commenting, Usama. Great question! I would suggest speaking with your clients to see what steps they are taking towards becoming GDPR compliant.

Reply

Vicki Watson

about 9 months ago

From 25 May 2018, the EU GDPR (General Data Protection Regulation) will affect every organisation that processes the personal information of EU residents. A really interesting and insightful blog post. Tens of thousands of organisations around the world are facing a major upheaval in the way they process data. Complying with GDPR is not straightforward. It will require detailed planning and collaboration with all the businesses in your chain.

Reply

Steven MacDonald

about 9 months ago

Well said, Vicki! Thank you for contributing with your comment.

Reply

Peter

about 9 months ago

Our cricket association holds members email addresses as well as mobile numbers. Will come under GDPR ?

Reply

Steven MacDonald

about 9 months ago

Thanks for the comment, Peter. Do you have consent that their information is stored?

Reply

Anna

about 9 months ago

How about old contact information for current/former customers and/or sales contacts (from trade shows)? Will we need to send a mail out to each of them to confirm they know they are in our CRM system or will GDPR only apply to new contact information loaded?

Reply

Steven MacDonald

about 9 months ago

Hi Anna. For customers, you should be OK, but for sales contacts, I recommend reaching out to them to gain consent to store their data. GDPR affects both new and existing customers.

Reply

John Chapman

about 9 months ago

As a small, specialist executive search company handling a small number of assignments per year, what permissions do I need to obtain? Firstly in respect of prospective candidates' cvs that are submitted to me for consideration in respect of a particular vacancy, or generally for consideration of future opportunities. Secondly, in respect of client contacts/prospects.

Reply

Steven MacDonald

about 8 months ago

Hi John, thanks for the comment. You will need to get consent to store any prospect or client data.

Reply

Olivia Bridges

about 7 months ago

Hi Steven This is a really helpful summary, thank you. We are a small UK based art dealer, but we have clients in the US and outside of Europe. Do we need to gain their consent to continue to hold their client information and market to them? With many thanks in advance, Olivia

Reply

Steven MacDonald

about 7 months ago

Hi Olivia. As far as I am aware, you do not need consent to market to clients outside of Europe.

Reply

John Jeapes

about 7 months ago

Telephone and email lists of internal contact details provided by a customer - are these consent free under GDPR? Is it feasible that individuals can request removal, when they are a fundamental contact point to answer any question to enable contractual obligations to be managed?

Reply

Steven MacDonald

about 6 months ago

Hi John. Any individual can request removal of their data, but when their data is tied to a contract it can be a challenge. You could always request a the contract be transferred or try to anonymize the data.

Reply

Jonathan Hooper

about 6 months ago

We have a field sales team, all of whom have mobile phones and laptops containing various customer and prospect information (contact details etc) - will they need to seek permission before this data can be stored? What about prospects?

Reply

Steven MacDonald

about 6 months ago

Hi Jonathan. For customers, you should be OK. For prospects, I recommend reaching out to them to ask for consent to store their data, just to be sure.

Reply

Beth

about 6 months ago

Hi. I understand that for new/future contacts we physically need an individual to opt in - how does the new legislation apply to contacts we already have stored? The initial sign up form for these contacts had a clause at the top along the lines of 'By giving us your details you agree for us to contact you and to keep you informed about our products. We will not pass your details on to any third party.' - but no actual opt in tick box. The email communication also had an unsubscribe link. Can we continue to use these contacts or do we have to regain opt in permission? Thanks.

Reply

Steven MacDonald

about 6 months ago

Hi Beth. If you have previously sent marketing communications to your prospect list, then you do not need to reconfirm their opt-in - providing there has always been an option to opt-out of further messages.

Reply

Debbie

about 6 months ago

How will GDPR affect direct postal mail shots from pre purchased mailing lists? Does consent have to be re-obtained by the company who has purchased a list before any customer interaction can begin?

Reply

Steven MacDonald

about 6 months ago

Good question, Debbie. To be honest, I'm not sure how GDPR affects direct mail.

Reply

Jayaraj Chanku

about 6 months ago

Excellent content regarding GDPR. In this world based on data, GDPR plays an important role in protecting and securing it. Nice post!

Reply

David Lawrence

about 6 months ago

Hi Jennifer, Thanks for providing such informative post about GDPR - it really helps business owners who are preparing their business across globe for the May 25th deadline.

Reply

Mark Day

about 5 months ago

Hello Very informative thank you Someone asked the question about using the details from a business card as not consent. Would the same apply to an email , i.e if Bert forwarded a Freds email details to someone else for the purpose of recommending that person as a potential customer or lead for him to follow up , this would need consent from that contact yes ?

Reply

Steven MacDonald

about 5 months ago

Hi Mark. In this case, I recommend speaking to the person on the phone first before you store their details.

Reply

JP

about 5 months ago

Great comments Steven and responses. We have a 20 year old database with thousands of contacts, 75% prospects, and a team of cold callers / warm callers etc, as is typical with many companies. Will we still be able to email them and make cold calls? Or is the whole point that they need to opt in for us to do this.

Reply

Steven MacDonald

about 5 months ago

Thanks, JP! If people on your list have already received email campaigns from you in the past, then it should be OK to continue sending them under GDPR. But, I would suggest that you offer those who haven't received an email in the past the chance to opt-in for future emails.

Reply

Rikard

about 5 months ago

Hi Steven, thank you for many good responses here. I think we all are very uncertain on how to behave towards non-customers. We are a software company with a few customers and even more prospects. The prospects have been found using different products like LinkedIn etc. We have sent "cold e-mails" to these, and some of them have responded and are interested / semi-interested in our products. These are now stored in SuperOffice, but can we keep them? Or should we send them an e-mail telling we have stored them and they need to give us their consent?

Reply

Steven MacDonald

about 5 months ago

Hi Rikard, thank you for leaving a comment. Yes, there's a lot of uncertainty around GDPR! Cold emailing is fine, so you can continue to do this.

Reply

Rikard

about 5 months ago

Thank you Steven for your clarification. This raises another question; You say Cold e-mailing is fine, but storing the prospects for these cold e-mailing is not fine? Or would you say we can store them but we should delete them after a certain amount of time?

Reply

David Morgan

about 5 months ago

Hi Steven, very informative with some extremely helpful questions and replies. Thank you. With the deadline looming, I'm still unsure as to my next steps re. GDPR compliance. I run a Ltd. company, a Learning & Development consultancy, working both directly through my company and as an Associate for others businesses e.g. training brokers. My company employs only me. I hold current and past customer contacts along with business address, email and telephone details. That's all I have. The contacts reside on my PC and Mobile Phone and not in the cloud. Your thoughts on where I stand with GDPR and the need to obtain consent from current and past customers would be appreciated.

Reply

Steven MacDonald

about 5 months ago

Hi David, thanks for commenting and I most definitely understand your concerns here. Providing customer data is stored securely and that if any former customers ask you to remove/ delete their data and you can prove you have done it, then you should be fine to continue the way you do today.

Reply

Rikard

about 5 months ago

Hi Steven, we can still continue doing "cold e-mailing" but we can't store the prospects in SuperOffice without their consent? Can you explain a little more around this? Thank you for your help!

Reply

Natasha Burke

about 5 months ago

Hi Steven, Very informative article. I do have a few questions: We are a small company in the EU with 15+ employees and have about 6 remote employees in and around other non-EU countries. - How will GDPR impact us due to this? - What will our (company's) role in GDPR be towards our customers? - Is it a problem with having employees/contractors outside of EU? - What steps should we take to incorporate GDPR in the company and work with EU and non-EU companies and contractors?

Reply

Steven MacDonald

about 5 months ago

Hi Natasha, thanks for commenting. As these GDPR-related questions are very specific to your business, I recommend that you speak with a lawyer. They can provide you with the answers you need.

Reply

Tammy

about 5 months ago

Hi We are a freight forwarding / shipping company. We process requests to ship goods all over the world. We only collect name, address and number of the shipper and the name address and number of the receiver. This data is then obviously given to the shipping line and import export. Do we have to record this information and especially the outside EU companies and ports how do we make sure they are complying with the GDPR as it is not there legal system - if they do not comply does that mean we can not longer use them for shipping or import export offices?

Reply

Steven MacDonald

about 5 months ago

Great question, Tammy. I suggest you speak with a legal team on this one.

Reply

Tammy

about 5 months ago

Hi Natasha We are in the same position. We are a freight forwarders and shipping company so we collect name and address of who we ship for and the details of who we are shipping to and these are in countries all over the world. Obviously we have to share these details with customs and the shipping lines- but like your company they are not in teh EU so how do we make sure they are being compliant with the data we have handed over. We are processing data of people with in the EU so we have to conform but no idea how??

Reply

Tony

about 4 months ago

In our business a number of people use their contacts on their business phone to include personal contacts as well as customers and suppliers. Do we need to do anything about these personal contacts?

Reply

Steven MacDonald

about 4 months ago

Hi Tony, thanks for leaving a comment! Can you share a few more details here? Not sure I fully understand the question.

Reply

emmy hughes

about 4 months ago

Hi I am self employed and run an extra tuition service. Parent's details are on my phone in text messages and in a paper based filofax. I lease a photocopier to copy work and books for the kids but the company is telling me i need to pay £60 a month or a new security device on the copier for it to ensure im compliant but I do not use it to process personal details- I scan maths work and send it to the hard drive of my laptop or photocopy books. Please advise as they are saying I need to pay it or I will be fined? Thanks!

Reply

Steven MacDonald

about 4 months ago

Hi Emmy! Great question. To be honest, I'm not sure how to answer this, so I suggest you speak with a lawyer, just to be sure.

Reply

Manny

about 4 months ago

Hi, I work in records management and the legal dept are currently revising the records retention plan to include GDPR, I am not sure what the outcome will be and the impact on my job as records manager. Is GDPR only relevant to PERSONAL data regardless of the person being an employee, customer etc as I am getting conflicted messages from within the company that it doesn't just affect HR but also other departments. Be grateful for you input, Thanks

Reply

Steven MacDonald

about 4 months ago

Hi Manny. Good luck, and I hope things work out with your job. GDPR will touch on more departments than just HR. For example, GDPR heavily impacts sales and marketing teams too.

Reply

Juhi Purswani

about 4 months ago

Enforcement of GDPR is for sure going to have a huge impact on the business industry. To comply with the laws and having a proper contingency plan at a place will prove to be effective. This is quite an insightful article covering all the basic requirements of GDPR.

Reply

Tracey

about 4 months ago

Hi there, been reading all comments and reply’s very useful, thank you everyone, we are a new business, we are a fudge/sweet shop. We’ve been contacted by a company that say we need to be GDPR compliant, is this true? We have a card terminal only, no personal information is stored electronically. All receipts are locked away for accountants only and for tax purposes. Thank you

Reply

Steven MacDonald

about 4 months ago

Hi Tracey! I understand your concern. GDPR impacts all businesses, but to varying degrees. I suggest speaking with a lawyer, just to be sure given your unique circumstance.

Reply

steve

about 4 months ago

Hi. Small businesses pay me to promote their businesses on several websites i own. Their details eg shop name, sector and relevant links are promoted on the sites, i dont store any other info about them or sell their info on...how does gdpr affect me when selling an advert to a new customer?

Reply

Steven MacDonald

about 4 months ago

Hi Steve. If you do not collect personal data, then you should be fine.

Reply

Chris Callaghan

about 4 months ago

We do work on behalf of a trade union, for "members" who pay us a fee to do manage activities on their behalf. We email them to discuss the work, to send reports about the work we do, and to send invoices. We don't sell anything so we don't market anything. Must we get permission from the email owners to use their email address/phone number in this way?

Reply

Steven MacDonald

about 4 months ago

Hi Chris. Thanks for leaving a comment. As long as you do not store personal data, then the way you work will most likely not change.

Reply

Chris Callaghan

about 4 months ago

Hi Steven, I see contradictory information around the internet about whether existing contacts need to give consent or not. Are you able to point to the part of the GDPR that stipulates that it is not necessary to obtain consent from existing contacts?

Reply

Steven MacDonald

about 4 months ago

Hi Chris, I believe the answer you are looking for can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/does-consent-given-25-may-2018-continue-be-valid-once-gdpr-starts-apply-25-may-2018_en

Reply

Peter Craig

about 4 months ago

Would be worth writing a separate article on data controllers/processors and how to get GDPR ready as this is a bit fuzzy field. Great article. Keep up the good work!

Reply

Steven MacDonald

about 4 months ago

Great suggestion, Peter!

Reply

Forina

about 3 months ago

Hi Steven, Our web application collected the Full name of the users and then create a user login that registered in our system. Do we still have to comply with the GDPR? Our majority customers are in US, but we still have customers that are from Europe. However, we don't collect special dates. The email address and phone number are tied to the company they registered, nothing personal. Are these data still categorized as GDPR? Thanks in advance

Reply

Steven MacDonald

about 3 months ago

Hi Forina. Yes, I think so, but I recommend seeking legal advice, just to be sure.

Reply

Kathy Hess

about 3 months ago

Hi Steven, Thank for the info on this issue. We are a US company that stores the business email addresses/phone numbers of employees of our EU customers for contact regarding purchasing and accounting issues. Am I correct in assuming that we don't need to request consent from these people since they are existing customers?

Reply

Steven MacDonald

about 3 months ago

Hi Kathy, yes you should be fine seeing as you're talking about existing customers.

Reply

Ammar

about 3 months ago

We are using an order form, a contact us form and a comment section where we take user information like email, name etc. So do we have to provide withdrawal option in all these pages if user wants to delete his/her data from our records? If yes then how will we keep record of our orders?

Reply

Steven MacDonald

about 3 months ago

You don't need to include a withdrawal option, Ammar. Withdrawal can be included in your email campaigns via an unsubscribe link.

Reply

Ammar

about 3 months ago

But sir we are not using email campaigns right now. Order form takes information to complete order process and to use this information in checkout. Contact us form takes information to respond to user queries and comment section takes information to get feedback from customer

Reply

Steven MacDonald

about 3 months ago

Thanks, Ammar. Maybe you can include a new form on your website that is only used for withdrawal requests?

Reply

Sharon Smith

about 3 months ago

The General Data Protection Regulation (GDPR) represents EU's 'consumer-first' commitment and endeavor to tighten data privacy control, safeguard the rights of individuals, and establish trust between consumers and organizations. There are eight guidelines that GDPR mean for businesses within and outside European Union. Obtain consent, ensure rights of individuals, demonstrate accountability and much more. A data protection officer (DPO) is an enterprise security leadership role required by the GDPR. DPO's are completely responsible for data protection and privacy in their organization.

Reply

Ammar

about 3 months ago

We are using Google Analytics in our websites like everyone else so, do we have to sign the Google Data Processing Amendment? This one https://support.google.com/analytics/answer/3379636?hl=en&ref_topic=2919631

Reply

Steven MacDonald

about 3 months ago

I think that would be a good idea, Ammar.

Reply

A.G.

about 3 months ago

Hi, We are a US company with a UK subsidiary that has 2 employees. Both of their employment contract includes a standard clause: Subject to your rights under the Data Protection Act 1998, you consent to the processing of any data relating to you, in particular, to the processing of any 'sensitive personal data' (as defined in the Act) relating to you and to the transfer of any personal data to any Group Company located outside the European Economic Area. Does this constitute consent to storage of there personal data (for purposes of payroll)?

Reply

Steven MacDonald

about 3 months ago

Hi. Unfortunately, I'm not sure about this. Have you spoken with your legal team?

Reply

Quera

about 3 months ago

Hi, as IT consulting company we do not process personal data, but we do have contact information (email address, phone number, etc.) of counterparts at customer companies in EU. We do not use their contact information for marketing purposes, but for daily communication about projects and so on. Are we affected by GDPR?

Reply

Steven MacDonald

about 3 months ago

Thanks for the comment, Quera! You might be affected by GDPR, yes so I recommend speaking with the legal team or DPO at your company to see how exactly it will be impact you.

Reply

Tim Oliver

about 3 months ago

Hi, My Company is B2B, we do not do any mailings to customers or prospects, the only mails we send are invoices / statements / quotes .Some people order through our website, but most of it is direct through our office. We do not store any credit card details etc. Do We have GDPR issue? Thanks Tim

Reply

Steven MacDonald

about 3 months ago

Thanks for commenting, Tim. If you store any information on your customers - even if it's as simple as a delivery address - then GDPR applies to you.

Reply

Ammar

about 3 months ago

Sir please guide me about using consent for google adsense as google has asked publishers to take consent from visitors on their sites. But it didn't tell how to implement it

Reply

David

about 3 months ago

Hi, I run a home-visit computer repair service (no employees) so I hold Customer’s name, address and telephone numbers in my phone. Do I need to ask my customers again for permission to keep these details?

Reply

Steven MacDonald

about 3 months ago

Hi David, you should be fine. The GDPR impact is different for customers, compared to prospects.

Reply

David Sumeray

about 3 months ago

Thanks Steven, I presume by your answer that there is nothing I need to do?

Reply

Steven MacDonald

about 3 months ago

You're welcome, David. That's right, you shouldn't need to do anything.

Reply

Arunas

about 3 months ago

Hey, Steven! Thank you so much for your important notes and greatly informative article. We are brokers dealing in the international business environment with hundreds and hundreds contacts in various countries world wide of similar brokers/Shipowners/Operators etc. whom daily circulate various orders and at the same time are getting daily hundreds of e-mails from various similar competing companies or co-brokers/Shipowners, etc. It is way how this business is running and will go on. In the last few days we are getting various queries to give consent for further circulars to be sent to us what we agree. There was received and more neutral wording which does not require explicit consent. This one would like to quote here: qt If you are not interested to receive our future circulars and want your e-mail to be deleted with ourselves please notify us in due course and we will delete all relevant information accordingly. In the meantime, we hereby authorize you to keep our contact information with yourselves and continue sending us your commercial information related to our business. unqt The question is whether such wording is sufficient in terms of GDPR for the asking party to comply with necessity to get explicit consent when addressee does not react presuming that so he agree to receive circulars in the future??? If it's fine then should such query to be sent to the contact party only once or to compose any e-mail being sent in the future??? thank you for your expertise

Reply

Steven MacDonald

about 3 months ago

Thanks for commenting, Arunas! To be honest, I'm not sure. Have you spoken with a lawyer about this?

Reply

Sue

about 3 months ago

Hi Steven we run a small Plumbing & Heating Company in a small rural area where most of our clients are regulars. Am I understanding this right - that we don't require consent from existing customers but that we would have to get consent from new customers? Also, is there a pro-forma Privacy Policy statement for small businesses like ours that we could print off to use? thanks in advance

Reply

Steven MacDonald

about 3 months ago

Hi Sue, that's correct. You do not need to gain consent from existing customers, but you should always provide a way for them to opt-out of marketing messages should they wish to do so. Unfortunately, I haven't come across any small business templates.

Reply

Diane

about 3 months ago

Hello, I work for a small property management company in Cyprus, and my job is to deal with holiday bookings for our apartments, villas, etc. We advertise these on our own website, as well as Owners Direct, Holiday Lettings and Airbnb, so bookings can come from any of these sources. Once a booking is received, I send out information regarding the booking, such as directions and arrival information, and this is sent by email, which I obtain from the listings website once their booking is confirmed. I then store the customer's name and email address in a contacts list in our Gmail account, and at the end of the year I send out an email to all these previous customers offering a special offer on holidays booked the following year, if booked by a certain date. I have not worked there long so I have only done this once at the end of 2017. We were discussing GDPR the other day and wondering how or if we need to comply with this, as we do not send marketing emails on a regular basis. I am not sure on the privacy policy of the listings sites, but when we do a booking through our own website all the paperwork is done manually and there are no opt-in or opt-out questions on the booking form. So, do I send out an email to all our previous customers asking if they still want to be notified of any special offers, and should I add the question to our booking form about having their email stored for future marketing emails?

Reply

Steven MacDonald

about 3 months ago

Hi Diane, thanks for leaving your comment. Seeing as all of your communication is related to customers, then you are fine to continue doing what you're doing.

Reply

Steve

about 3 months ago

Hi, for retaining proof of consent, the article mentions a time-stamped audit trail with information about what the contact opted into and how. As far as I'm aware, this includes the opt-in form itself, which represents quite an overhead for businesses, especially those with multiple forms, those who are split testing forms and so on, and for the audit trail you have to be able to link a particular form to a particular lead on your list. You can either try doing this manually with time-stamped screenshots of forms, which doesn't sound too sustainable, or using a service like optinopoli which records forms automatically each time a lead opts in.

Reply

Steven MacDonald

about 3 months ago

That's a great point, Steve. I recommend signing up for a demo of SuperOffice as our web form solution should solve most of, if not all, the challenges you mention.

Reply

Kasia

about 3 months ago

Hi Steven, I ran a small ecommerce website. If I delete my customers addresses, mobile numbers and email addresses as I don't need it, do I still have to be GDPR ready. I mean once I sent them their item I delete the contact details. I don't have legal team. My business is just me. Should it be fine in your opinion? Thank you for your answer?

Reply

Steven MacDonald

about 3 months ago

Hi Kasia, you don't need to delete any customer data, as you have a legal basis for storing their information.

Reply

Kasia

about 3 months ago

Thank you so much Steven for your reply. I am struggling with that new regulations. So is that mean that if I don't use their data in any purposes I am fine with GDPR?

Reply

Steven MacDonald

about 3 months ago

Yes, if you're speaking about existing customers, then that's correct.

Reply

Ivan

about 3 months ago

Hi, I am running a free vector converter. Do I have to do GDPR for this website? The images and photos uploaded by people on this website aren´t used for anything and the files are automatically deleted after 1 hour from server. The website doesn't work with any other data besides images (no emails, no cookies etc...).

Reply

Steven MacDonald

about 3 months ago

Hi Ivan, thanks for your comment. As long as you do not process personal data, then you should be fine.

Reply

Brandon

about 3 months ago

One of the reasons businesses are not prepared for the new guidelines is that they don’t think it will affect them; for example, because they don’t process or hold much data, they assume they’re exempt. But the important thing to remember is that every business that has dealings in the EU must adhere.

Reply

Steven MacDonald

about 3 months ago

Spot on, Brandon!

Reply

Matthew Adamson

about 2 months ago

The article is really needed at this time and the details stated in the article are good and well knowledgeable. It clearly describes the effect of GDPR in the world business market. Because of GDPR, every business has ensured themselves and appointed a data protection officer of their own to inform stakeholders about the charge prompted by GDPR. Thanks for sharing.

Reply

Steve

about 2 months ago

Thanks for sharing wonderful information, But European Union forcing the companies to intensify privacy-specific policies, instead of implementing a separate GDPR-friendly policy for EU countries.

Reply

Kelly

about 2 months ago

Great article. We are a US-based manufacturer who does not sell direct to consumers, we are a co-packer/contract manufacturer that produces product for customers who reside in the Netherlands. Their products potentially go to consumers in the EU. Does GDPR impact our business? Thank you!

Reply

Steven MacDonald

about 2 months ago

That's a great question, Kelly. If you store data on customers that are based in the Netherlands, then GDPR does impact your business.

Reply

Mark McCue

about 6 days ago

I need to write an article on GDPr for my clients (as none of them seem overly bothered about GDPR - even though its been plastered everywhere for a long time!). I found this very helpful, thanks!

Reply

Steven MacDonald

about 6 days ago

Thanks, Mark!

Reply

Dawn Ingley

about 6 days ago

Hi Steven, what if my company collects name, email address, plus other non-personal data (number of total attendees at event, number of people that need hotel accommodations, number of people with food allergies). My company only retains the numerical information and deletes name and email address. Does this render us not subject to GDPR?

Reply

Steven MacDonald

about 5 days ago

Good question, Dawn. I'm afraid I'm not sure how to handle this. Have you spoken to a legal team?

Reply

Leave a Comment

Sign up to a free SuperOffice CRM trial.

It’s free for 30 days. No credit card required.

Start Free Trial