Undoubtedly, you’ve had a lot of emails relating to the EU’s General Data Protection Regulation (GDPR). The reforms are designed to reflect the world we’re living in now and bring laws and obligations in Europe up to speed for the internet age.
GDPR gives control of personal data back to the people who own it and requires organisations to make data protection a core part of their operations and processes.
We see GDPR as a great opportunity for businesses to assess their current data processing activities and make sure protecting customer data is at the heart of everything they do. Alongside a leading GDPR legal expert, we’ve been conducting a comprehensive audit and assessment.
We’ve completed a comprehensive review of the following:
What personal data do we collect and/or store?
How have we obtained it? Where it’s solely for marketing purposes, do we have the necessary consents required? Were we clear and unambiguous about the purpose of capturing this data? Were the data owners informed of their right to withdraw consent at any time?
Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
Are we keeping it safe and secure using a level of security appropriate to the risk? Are we limiting access to ensure it is only being used for its intended purpose?
Are we transferring the personal data outside the EU and if so, do we have adequate protections in place?
Under the GDPR legislation, you’ll need to have a lawful basis for using someone’s personal data. This falls into several categories including:
Necessary for the performance of a contract
If someone buys a product or service from you, you can send them communications such as emails related to onboarding, billing, details of the service. In other words, anything you need to communicate to fulfil your contract. The majority of our emails are from the team, direct to clients relating to the services we are providing them.
Under GDPR you may email clients about related products, services, events and updates which you believe may be useful for them to receive. The majority of the other emails we send fall under this category and relate to things like legal changes which could impact you (budget announcement, tax changes, scheme changes) as well as additional services we provide.
Consent (with notice)
Under GDPR this must be freely given, affirmative, opt-in consent accompanied with a transparent explanation of your purpose for acquiring/using the data.
For us, this directly relates to email capture lists we have on our website and with BenchPress, and being clear if you’d like to hear from us again. We’ve updated our website now to include affirmative consent, like the drop down box on our BenchPress 2018 webpage.
Withdrawal of consent (or opt-out), modification and deletion
Withdrawing consent needs to be just as easy as giving it. Anyone needs the ability to see what they’re signed up for and withdraw their consent (or object to how their data’s been processed) at any time.
With Wow, any consent that falls under legitimate interest of opt-in consent can just as easily be opted out of by using the unsubscribe button at the bottom of the email. This will immediately withdraw your consent from these emails.
Anyone also has the right to request deletion of all their personal data a business holds, or modification of their data if it’s inaccurate or incomplete. GDPR requires the permanent removal or modification of any personal data.
With Wow, anyone that wants their data permanently deleted or modified can request to do so by emailing email@example.com, we will respond to your request within 30 days.
However, in order to complete our services and comply with HMRC or Companies House regulations, we may have to continue to store and process your data and also contact you directly relating to the completion of that service.
If you request your data to be deleted and you fall into this category, we will let you know:
what data we’ll need to continue to hold
how we will process it
the instances we will need to contact you
why we need to do so, e.g. to complete your tax return, comply with a request or law from HMRC
when we can delete your data
Even if a formal request for deletion is never made, we will never hold data for any longer than necessary to complete our obligations to our clients and HMRC.
Anyone can request access to the personal data you hold on them and verify the lawfulness of processing. Personal data is anything identifiable, like name, email address, business data.
With Wow, anyone that wants access to the personal data we hold on them can do so by emailing firstname.lastname@example.org. We will respond to your request within 30 days and any data will be provided in a machine-readable format.
Protecting our clients’ data is fundamental to everything we do and provides multiple layers of protection.
The majority of our data processing is conducted by Xero that has the highest security standards. Xero encrypts all data that goes between you, us and Xero using industry-standard TLS (Transport Layer Security), protecting your personal and financial data. Your data is also encrypted at rest when it is stored on Xero’s servers, and encrypted when transferred between data centres for backup and replication.
All other cloud services we use internally also use industry-standard TLS (Transport Layer Security) and have up to date security measures and protocols.
Internally, members of the team only have access to the data of the clients they are working on and we have enabled two-factor authentication across all team members and all devices.
Ongoing – Privacy by design
We don’t see this as a process of compliance to meet the new regulations. We want the privacy and security measures we take at Wow to be one of our major strengths.
We conducted a thorough assessment of each department at Wow and looked at any way we could improve our data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and overall client processes.
We have a team who will continue to do this each quarter, so we stay on the forefront of any changes in technology, anything we can improve on, any amendments or interpretations of the legislation as it arises and any new security processes that are being developed.
You got this far?
Well done if you’ve got this far – this isn’t exactly the most exciting subject, but it is important. If there’s anything you’re unsure about or would like any additional information on, please email email@example.com. We’d love to help you.