The Information Commissioners Office (ICO) has increased what it’s doing around data protection, and this enhancement is known as GDPR, which stands for General Data Protection Regulation.
As this BBC interview explains, it’s not about stopping people going about their lawful business. It’s about trying to restrict the activities of spammers and scammers.
I am not claiming to be a Data Protection or GDPR expert and anything said in this article should be treated as a fellow business owner giving his interpretation of the requirements. I may be wrong (it has been known) and having read this article, it’s still up to you to ensure that your business complies with the ICO’s requirements. If you discover that I am wrong about any aspect, please let me know!
GDPR is an extension of the existing Data Protection Act 1998, and this extension comes into effect on 25 May 2018. So, the first step would be to make sure you’re complying with the existing regulations.
You should have a Privacy Policy (also called a Privacy Notice) and this should be made public (e.g. published on the website or posted as a leaflet).
You should also have a Data Protection Policy, but this is for internal use so that you and your staff are aware of how you intend to keep and secure personal data. Think about what data you collect; where you collect it from; and how you keep it. Then think about how you store it.
As well as publishing a Privacy Policy, your website and literature should contain a privacy statement at the places where you collect data, such as forms. The statement might read something like We take your privacy seriously and will only use your personal information to administer your account and to provide the information, products and services you have requested from us.
This statement should be expanded:
Above: an ICO example what a full contact form privacy statement might look like.
You might consider using this Privacy Notice as a starting point, but I cannot write it for you as I do not know what you do with your data. This example will need to be amended if you collect data for general marketing and/or if you intend to share the data with a third party as described above.
See the ICO’s Guides, Resources and Support
If you do email, SMS text, phone or post marketing and have developed a marketing list (as distinct from a client list), you will need your prospects’ consent to continue marketing to them by way of an opt-in. It is not sufficient for you to write something like unless we hear from you, we’re going to assume that you consent to future mailings
. Sorry, please don’t shoot the messenger, but they must agree by opting-in. You cannot continue to send marketing communications if you do not obtain consent.
Note: what I’m writing about here is a marketing list, not a client list. You can still contact your own clients about your normal business or club activities etc.
I hope you have found this article of use. And to my clients: I look forward to receiving your Privacy Policies and Privacy Statements in due course!
Article by Chris Addams of Swift Image Web Design, written 4 May 2018. Edited & updated 19 June 2018.
swift image
the website design company
for Ampthill, Baldock, Bedford, Biggleswade, Flitwick, Hitchin, Letchworth, Luton, Sandy, Shefford, Stevenage and Stotfold