GDPR Ticklists to Help You if You Missed the May 25 Deadline
Want to go straight to the ticklists?
I wonder how many businesses have deleted 75% of their hard-won contacts with “essential you opt back in” email campaigns? And they will lose them, because of this knee-jerk reaction to GDPR.
- everyone receives so many they’re ignoring them
- they’re probably not necessary
- they may be illegal under other regulations
You do need to act, but there’s no need to panic, even if you missed the deadline. This myth-busting piece in The Guardian may help put your mind at rest.
Like most of you guys, we’re a very small business, and this is our take on how it apples to us. This is what we’ve done, and what we’ll be doing in future. This post covers,
- Our GDPR promise
- GDPR planning tasks, some by May 25th 2018, some after
- Simple GRPR for sole traders and small organisations (updated 20 May 2018)
- Free GDPR tick list to download
- We’re not experts so please read this disclaimer, and where to find a second opinion
BlueTree GDPR Promise
We promise to treat all personal data with respect, and we’ll never knowingly share it with anyone else, nor use it for any purpose other than that for which it was collected.
GDPR Tasks to do Before May 25th
GDPR seems common sense, and we don’t have to change much anyway. Our compliance is based on this understanding:
- Make a list of all the places you hold personal data. We have one in a Word document.
- Be clear about what data you collect and why. For marketing, we hold email addresses, phone numbers and, for accounting, postal addresses.
- Write and Publish your Data Protection Strategy, optionally on your website. Here’s ours.
- Draw up plans to implement your strategy; you might not finish implementing them it before 25 May.
Before or After May 25th
- Only use personal data for the purpose you collected it and don’t share it with anyone else. We don’t.
- Hold personal data securely. We use networked, personal computers, with strong passwords. We store some in “the Cloud,” where it’s held securely by reliable, global corporations, namely Google, Dropbox and MailChimp. We don’t think we’re liable for breaches they may make, though we may need to contact people affected.
- Add people to your marketing list only if they opt-in; we use sign-up forms.
- Avoid collecting data from minors. We’ll do our best to identify them.
- Respond promptly to requests for copies of personal data you hold. We’ll do so for anyone who requests it on this form (it’s our usual contact form).
- Allow people to amend or delete their data. We’ll do this if they request it on the same form.
- Add an unsubscribe link in marketing emails and delete unsubscribed people. No need for us, MailChimp does this anyway.
- Tell the Information Commissioner, and people affected, if you get hacked. We can do this if it ever comes to our notice.
Simple GDPR for Sole Traders and Micro-Businesses
BBC Radio 4’s Money Programme (20 May) had some advice for sole traders and small organisations. You can download the podcast here. The bit about GDPR starts 21 minutes in. The example they used was a small allotment society, and the advice covers micro-businesses (like sole traders and partnerships) too. This is what we so.
- GDPR applies to business contacts, not to personal contacts, though if you do business with a friend or relative, that contact is affected.
- Existing contacts. There’s no need to stop mailing people already on our list:
- It’s fine keep personal data we have already, if we have a good reason to do so, e.g. they owe us money, or we do work for them sometimes. This is called a “legitimate interest”, apparently.
- It’s also fine to keep it if they gave us consent when we collected it; we won’t be asking anyone to opt in again unless we’re sure they didn’t consent.
- If we want to use personal data for anything other than why we collected it, we’ll ask for consent.
- New contacts, people whose data we want to store. We’ll ask their permission, tell them why, and that we’ll change or delete it if they ask you to.
- Security. We’re sure the paces we store it are secure. These include phones, computers and “cloud” storage; they’re protected with a PIN or password.
- Website. We collect personal data on our website with a sign-up or contact form; it’s encrypted, secured with an SSL certificate (HTTPS) – more on our blog here, and protected from web spiders with a reCAPTCHA,
- Updates. We promise to supply, change or delete their personal data if anyone asks.
You’re also supposed to have procedures in place, but sole traders and tiny businesses don’t do this formally, as a rule. Here at BlueTree, we have a list of places where we store personal data (MS Word document) and a short GDPR policy statement, published on our website.
Free GDPR Tick List Templates
We like tick-lists: lists of things to do, expressed as 1-liners. They’re terse task reminders, in sequence if that’s important. Print them out, tick off the jobs as you do them, then file the completed list as evidence of completion.
There are two GDPR template tick-lists in this document: start-up and on-going. Yours to use as they are, or modify, so long as you don’t blame us if anything goes wrong. Here’s your link.
Disclaimer and Where to Find GDPR Advice
We’re neither legal eagles, nor GDPR experts, and we’ve decided what to do after researching the subject. You’re welcome to copy what we do, but please don’t hold us responsible if anything bad happens.
By all means, copy our policy and put it on your website, but please don’t copy / paste it. We explain this here, help for new web page authors, “Golden Rule”.
If you search for “GDPR” using your favourite search engine, you’ll find masses of information. This is a problem: there’s too much, so how do you know which is correct?
We’ve found these pages both credible and informative.
- Information Commissioner’s advice on GDPR
- Federation of Small Business’s GDPR Preparation Checklist
- Myth-busting explainer article in The Guardian
Best of luck!
PS: If you think we got anything wrong, or have a question, please leave a comment. It’ll help others reading this post as well as us.