GDPR (General Data Protection Regulation) came into force in the UK in May 2018. It is a regulation designed to protect the privacy of personal information of people living in the European Union, giving them control over how their data is collected, stored, used and processed. It affects every business globally that processes personal information of people in the EU. 

What does GDPR actually mean? 

All personal information about EU based people - including employees, customers, suppliers and anyone else that you collect personal data from. Personal data includes names, contact details, addresses, medical information, credit card and bank details etc. 
How you collect personal data - you are only allowed to collect personal data if you have a legal reason to do so. For example you might need it for an invoice or sales contract, or a customer may have requested you send them details of a product or service. Whatever the reason, you must make it clear how the personal data will be used - and it must only be used for that purpose. 
Terms and conditions and user contracts (eg. on a website) - they must be clear, simple and easy to understand with no complicated legal text. 
The right to know - individuals can ask a company what information is being held about them. Companies have to respond within 1 month and are no longer able to charge a fee for this. 
The right to erasure - a company can be asked by customers to remove all the stored personal data they have about them, unless the company needs to keep this information for legal purposes (such as tax for example). 
Data portability - individuals can request a copy of their personal data which can then be used however they like, such as transferring to a different service provider. 
Data breach - users are obliged to report certain types of data breach to the relevant authority. 
 
It is also worth noting that the UK Government will ensure that GDPR is added into UK law post Brexit so this will not affect your obligations as a UK business owner. 

Three simple steps 

It may seem like a minefield and slightly overwhelming for business owners, but three main steps you need to take to ensure your business is compliant, are as follows: 
 
1. Permission for Email Marketing 
In order to market your business directly to customers, you need to have their permission. If you use a lead generation form, collect data when customers make a purchase, or gather email addresses in another way, you need to include a statement that users actively tick to say you may contact them for marketing purposes. You can no longer have a box that customers have to untick. 
 
2. Clear Privacy Policy 
You must have a clear Privacy Policy on your website. You should set out a range of areas, such as what personal information you hold, how it will be used and how it is stored. It needs to be both easy to read and understand and easily accessible. 
3. Simple Way to Opt Out 
It is essential that you make it easy for people to opt out of your communications. Ensure that you have an ‘unsubscribe’ button located on your emails. You need to make sure that the process of opting out is easy to navigate and accessible and that all data relating to that person is also deleted. 

Next steps 

GDPR covers a wide range of aspects but the most important thing is to ensure that your business is clear on how it processes and stores any personal data it holds and that it is kept securely. 
 
If you need more advice on GDPR and how it affects your business, download our factsheet or feel free to get in touch
 
 
 
 
Written by 
 
Nicola J Sorrell - 
Effective Accounting 
 
Founder | Xero Champion | IR35 Expert 
Tagged as: GDPR
Share this post:
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings