It’s likely you have already seen and heard a lot about the new GDPR, but what is it? And importantly how will it affect you as a self-employed creative or small business?
What is it?
GDPR stands for The General Data Protection Regulation (EU) 2016/679. It is a new regulation for the European Union that comes into effect on the 25th of May 2018. It’s an update of laws that were set 20 years ago. They were due a refresh!
This new law offers EU citizens greater data protection and rights to deletion. Whereas before, you had to opt out, now, you the right to data privacy unless you opt-in (consent). Essentially, this new EU law aims to ensure that businesses take steps to respect and protect people’s personal data. Despite Brexit, the UK is still included as the updated regulation will be adopted as the General Data Protection Bill.
Will it affect you?
It may be easy to assume that it won’t affect you, but you should be getting up to speed with this new law, regardless of your location, if you:
a ) Have customers or website visitors from within the EU. Doing business is not only defined by financial transactions. Do you, for example, have European citizens contacts on your newsletter list? If you are holding “personal data” about a European citizen, GDPR affects you.
b) Are holding any other personal data that makes the person identifiable. This includes things like email address, name, phone number, IP addresses etc. It also applies to images of people, so making sure you have proper permissions, eg - a model release form, is important. This is especially true if you are using the images for advertising.
So now what?
The GDPR dictates key points that you have to follow:
2 - You can only use the data in a way that is relevant to your business. If it has been provided to you for a specific purpose then you cannot use it outside of the terms of that agreement. For example, if someone has contacted you to inquire about your service and has provided you with their contact details, you cannot then send them your newsletter (you would need to obtain separate consent for this). If the lead did not convert into a customer, you must delete the data as soon as you the lead is no longer active.
3 - Any data that you hold on a person must be accurate and up to date. A person can also request that their information be amended and you must comply. Under GDPR users can ask for a complete copy of the data you are holding on then, and you must comply in a timely manner.
4 - Legal reasons outweigh consent. If you are legally required to hold certain information, this outweighs consent or their request for data deletion. For example, if someone purchased something from you, you will likely need to keep financial records for your local/federal tax office. If a user requests information to be deleted you must comply and delete all data points (and remove from email lists etc), except what your tax office (for example) requires you to keep. At the end of the storage period (the legal requirement is over), you must then securely delete the data.
5 - You must delete any data you do not have a reason to have. You must have a valid reason for keeping information about a person. If their contact information was part of a business transaction you are able to keep it for your records. However, if a person provided you with data and you have no reason to hold it, it must be deleted in a timely manner. This means regular auditing of your records is important. If a person requests you delete their information and you do not have a valid legal reason to keep it, you must comply.
6 - You must store data securely. Which means it cannot be accessible to anyone else. You are responsible for the safety of information that is provided to you and must keep access logs.
If you are already holding data, like email addresses you should divide them into EU and non-EU, it’s also worth noting when you are unaware of their location. When in doubt, assume that they are EU. If by the compliance date of May 25th they haven’t opted in (consented to your storing their data), it would be best to delete their information. This may reduce your contact list significantly but deleting their information on/after May 25th is considered “processing” which is in breach of the law.
Provide people with an opportunity to opt-in. You could build this into your website via a pop-up, or provide another opportunity for them to sign up, to a newsletter for example. You are then free to communicate with them in this way. If you have consent or a clear legal (this does include proposing a business relationship) reason for contacting the person and if their information was publicly available you’re still data protection compliant.
As much as GDPR has resulted in work for everyone, we at Pixsy welcome any legislation that encourages more privacy, transparency and consent online. The long-overdue updates to data protection law will benefit us all in the long term, so it’s worth taking the time now to be aware of your rights and to make sure you are respecting the rights of others!
(Notice: This is general advice only and should not be considered legal or other professional advice)