In my previous post, Are You GDPR Ready?, I suggested seven steps you should take to get ready for GDPR. In this post I’ll address numbers two and three:
Yes, the first thing to do, if you don’t already have one, is to write the policy. The new regulations advise businesses to use ordinary language so the best way to do this is to write it yourself. Take a look at the one on this site and also take a look at others, ideally for businesses similar to your own. Assuming you’ve done your audit already, you should understand exactly what data you have, how and why you use it, and where and how it is stored. All of that information needs to go into your policy document.
To publish this to your site, create a new page for your website or blog and copy the policy text there.
It’s good practice to make this easy to find, so add a link to it from your website’s menu or somewhere out of the way but not hidden, like the page footer.
If you have a website built around one of the many CRM platforms – Joomla, WordPress, SquareSpace, or Wix – the developers are ahead of the game, and there are a number of plugins that will make your work easier.
Search Google and you can easily find similar tools for the other platforms listed above. If you’re not sure what any of this means, ask your web developer for help but don’t ignore the issue! It’s a necessary step in ensuring your site (and therefore your business) is compliant.
The downside of this approach is that it’s fairly unsophisticated: anyone visiting the site again will again be taken to the same policy page and will be required to consent on each repeat visit.
Implement an Opt-In Policy
If you collect email addresses for a mailing list or use forms, you need to ensure that users opt-in to any use of or storage of their data.
Opt-In to Mailing Lists
Most mailing list forms require the user to enter their name and email address before clicking a button to submit the form. Make sure that your text explicitly states how this information will be used (e.g., “in order to send you the weekly newsletter”, or whatever) whether or not it will be shared with or used by third parties, and anything else relevant to the person signing up in order that they can consent to it. You then need to ensure that any emails that are sent to the list, including any welcome message, makes it clear how the person who has signed up unsubscribes. That’s pretty standard stuff these days, but it’s worth checking that you have your house in order.
Opt-In for Forms
As with anything, there is more you can do but for small business and organisations it’s unlikely they will be necessary.
This information is intended as guidance only. It is not definitive and is the personal opinion of the author. Ensuring your business is GDPR compliant is the responsibility of your Data Controller.
Image credit: iStock.com/oatawaDo you need help? Contact me now to arrange a personalised tech support or training session.