From changing opt-ins and sign-ups to deciding if you are a data controller or data protector, here are some tips for design, print and packing firms to get on top of the incoming data protection regulation.
The General Data Protection Regulation (GDPR)
is a European Union directive that will come into force in May 2018, and it will impact on every business and organisation in the EU. In a nutshell, the GDPR will put a stop to unsolicited mail and unlawful sharing of data. It also safeguards against information theft or abuse. So for every piece of personal data – be it an email address, phone number, or physical address – you must have sought explicit consent to store, use or share this data; or have legitimate business reasons to store and use it. GDPR also brings in hefty (potentially bankrupting) fines and mandatory reporting.
Three-quarters of Irish businesses say they’re not ready for this May’s GDPR, according a new survey by McCann Fitzgerald and Mazars, although 75% believe their existing data protection and privacy notices and methods of consent “will require significant changes”.
The design, print and packing industry has its own specific challenges. According to research from technology firm Gartner Inc, 70% of all Irish businesses have suffered a print-related data breach of some kind. For example, direct mail campaigns may have multiple partner agencies working together, all sharing sensitive data which does not belong to them. Or, a print company may outsource fulfilment, or a design firm may outsource print on behalf of a client. All of this sharing ultimately decreases control over the data and increases the risk of exposure for the ‘data controller’.
Here, we’ve outlined the some key actions you can take right away to start preparing your business.
- Audit your data
You need to document what personal data you hold throughout your organisation, where it came from and who you currently share it with. Pay particular attention to marketing data – how do you store client emails? Do you issue newsletters or other marketing materials to lists of clients and potential clients? Do you send unsolicited mail about offers or new services? How long do you store information belonging to a specific project? Have you old files with potentially sensitive information on the company’s server? This audit will take time and significant attention to detail, and will require input from all departments – so start as soon as possible.
- Understand the difference between ‘Data Controller’ and ‘Data Processor’
A data controller is one who dictates how and why data is used; where a data processer merely processes (prints, designs, etc) that information on behalf of a client or third party. Most design, print and packing companies will be data controllers. You may, however, also be a data controller if you have your own mailing lists for marketing purposes (e.g. a newsletter) or if you are responsible for gathering personal information for any other purpose.
- Review your data storage policy
Most design, print and packing companies will personalise posters, mailshots, newsletters and more on behalf of clients. This means you may have huge volumes of personal information – emails or home addresses in particular.
Consider the data you have stored. For example, in a print company, you may be involved in personalising mass-mailings. Where do you store these addresses, and for how long are they kept after the fact? Are there any spreadsheets left over from old projects sitting around on shared drives? Unsecured printing is a particular area for concern.
- Review your data sharing and processing policy
Think about how you share and send large files. Make sure any time information is shared internally or externally that it is done so securely and with good business reason.
As data processors, you now must keep a record of data processing activity. This might be a simple flow chart which provides a map of how data is shared within your organisation. For example, for a design agency, you might act as an intermediary between your client and a print company. It is important for you to have a clear process in place for how you receive data from your client for sharing with the print company securely, and how it will be stored until the job is closed out. You’ll need to implement GDPR clauses into contracts with any third party suppliers, too.
- Understand consent for use
Consent is going to be front and centre in all data sharing and data usage from here on. Pre-checked boxes and implied consent will no longer be sufficient. You must have written policies which are strictly adhered to around how you obtain and document consent and a process for consent withdrawal.
- Train all staff
Add data protection as a line item on team meetings so you are all aware of the significance of the issues GDPR raises, and to ensure progress is being made on a company-wide level on data sharing and protection policies. Staff at all levels should be aware of the new legislation and understand how it will impact on their role. All it would take is for someone to share a phone number or email carelessly for significant fall out to occur.
- Appoint a data protection officer
Even small organisations need to appoint a data protection officer (DPO). The DPO for your business should be monitoring compliance with GDPR, advising and informing the organisation and its employees about their obligations, and acting as the point of contact for supervisory authorities and individuals whose data is processed. In addition, there is a responsibility under GDPR to report a data breach within 72 hours and the DPO should be responsible for this. A client facing staff member who has plenty of hands-on opportunity to see how things work ‘on the ground’ will be best placed to fulfil this role.
- Use GDPR to add business value
In many ways, GDPR provides an opportunity for your company to add business value by helping other companies be more mindful of correct storing, sharing and use of data. Website designers, for example, can help ensure sign-up pages are compliant.
Also, as part of GDPR, you should be able to demonstrate your compliance programmes to third parties, individuals or authorities. Your clients are going to be particularly concerned about sharing data with you – so be sure to let them know you are already compliant and will take care of their data for them. Having a strong policy in place and helping clients to prepare their own will add significant value as all organisations are concerned about the new legislation.
Taking GDPR seriously will be a business imperative for all SMEs in Ireland over the next couple of months. Once GDPR is in place, there will be little room for trial and error, so get your ducks in a row now and test your systems. Seek out advice if you need to – and don’t take any risks when it comes to gathering, storing, sharing and using data of any kind.
The content of this article is provided for general informational purposes only and is not intended to be used as a substitute for specific legal advice or opinions. When it comes to GDPR, the penalties are severe. All business owners should seek out specific legal advice if their business has complex data processing or controlling needs.
We are running training programmes to help your business get ready email firstname.lastname@example.org if you would like to join such a programme.