The 25th May is looming…
The deadline for being compliant with the new GDPR legislation is the 25th May 2018. From discussions with a lot of our clients this is something that is confusing, a little scary and something they are struggling with. There are a variety of experts out there with a variety of opinions, largely because the legislation has not yet been tested in practice and the guidance is developing on a constant basis.
How is it affecting us?
Well it appears there are two terms to describe people or businesses who hold data, a Data Controller and a Data Processor. Luckily for us at Sokada we are both… perfect!
- We are a data Controller for the information we control; ie the names and contact details for our clients and their personal data.
- We are a Data Processor when we process data for our clients ie your client’s customer data, which we can access to our clients’ websites.
This has meant extra work for us as we have had to update our Terms & Conditions, which all of our clients will now have to sign, agreeing that they will comply with our GDPR policy and are managing their data properly.
Getting the right policy
One of the key requirements seems to be a GDPR Privacy Policy. We are not sure how many businesses actually write their own policies, and whilst we do not condone the practice in reality, we all know many organisations “borrow” a policy from another organisation and “tweak” a few bits and believe their work is done. This may not be enough for GDPR
In the past we have had a EU Cookie law which seemed almost as useful as an overly bent cucumber or chocolate that isn’t chocolate… EU law for the sake of it. But GDPR seems to be much more detailed. We are not sure how they will ever police many of the issues, but it has to be taken seriously. It’s also VERY important that we manage personal data properly.
So, the Privacy Policy now seems to be even more important. It should be used to detail and set out how personal data is processed as well as how it will be managed going forward. A bit like a Health & Safety policy where you have a plan for specific events; “in case of fire go to the fire door…”
Your Privacy Policy could state that once an online order has been processed you will delete any personal details within a specific time frame. Obviously one of the key elements to this is sticking to it and actually managing the data how you have said you will.
No one can you tell you exactly what 100% GDPR compliance looks like, as it means many things to many organisations. However, having a GDPR privacy policy is a good place to start. Just having a policy in place and keeping to it will be a positive thing and will reflect on the business favourably if there are any issues with GDPR.
A few simple tips to developing your policy
Firstly, sit down and work out the many different ways you process personal data, this includes, customers, employees, consultants, and suppliers. We have been looking at this from a website point of view as that’s one of the key areas where we process data.
Here are a few things to consider:
- Website forms
- Shop orders
- Emails
Yes we know they are pretty obvious, but one thing we discovered is that a lot of our clients don’t really use the CMS (Content Management System) on their website. What our clients didn’t know was that when someone completes an enquiry form it stores a copy of that form online in the CMS. The same goes for online orders from the shops we manage. The client receives an email when an enquiry or order is placed and they just assume that is it. Even though we go over the CMS with them when we launch the site and have trained them in how to use it.
So, many customers are storing customers data in places they weren’t aware of. If this is you…. you will need to think about how you will be managing this data under GDPR?
How are we trying to help?
At Sokada we build our clients’ websites using WordPress in the same way that we designed our own website; we use very similar systems. We should be processing similar data and have the same issues. We have been trying to look at GDPR in a practical way that will enable us to help our clients.
To enable Sokada to comply with GDPR we need our clients to comply with GDPR. To assist our clients we are therefore permitting you to use our revised T&C’s and our GDPR privacy policy as a template to base your own T&C’s and GDPR policy on. If you are interested in using them please contact us. This is not legal advice from Sokada and you will need to amend them to reflect your specific needs and of course continually manage the data in accordance with the policy, but it’s a good start and better then starting from scratch.
Your GDPR policy is not set in stone, it must develop as your business does, diversifying and growing alongside it.
Sokada is committed to managing its way through the minefield that is GDPR and we are supporting our clients to achieve the same.