In our last blog, we discussed immediate steps to take to work towards GDPR compliance. If you’ve taken those steps, then great job, you’re on your way to GDPR compliance. However, there’s a lot more to GDPR than privacy policies and email marketing guidelines. The most fundamental part of GDPR is how you collect, store, document and share people’s personal information.

Collecting Data

  1. Transparency: The GDPR ensures there is increased transparency between organizations that collect and use data, and the individuals whose personal data is being collected. Any organization that wants to collect data—whether via a website form, email, etc.—needs to clearly communicate what the data will be used for, and individuals must then consent to that use. Data subjects also need to be told about their right to withdraw consent at any time.
  2. Data Minimization: In order to collect data from an individual to convert a website visitor into a lead, organizations must remember they are now only allowed to collect data that is adequate, relevant, and limited to what is absolutely necessary for the intended purpose of collection. For example, you may not need a person’s date of birth to put them on your email newsletter list, but you do need their email address.

Storing and Processing Data

  1. Purpose and Usage Limitation: Organizations can only use the data they collect for specified, explicit, and legitimate purposes. This means your small business isn’t allowed to use the data you collect in any way that may not be compatible with the intended purpose for which it was collected. So for example, if someone fills out a form to sign up for a webinar, you cannot then put them on your mailing list and send them communications unrelated to the webinar, without having notified them on the sign-up form what you will be using their contact info for.It also means that if you plan to share or transfer the data with another company, you will need to ensure you have consent to do that as well.
  2. Security: Once data is collected, you need to store it in a secure manner that is in accordance with the GDPR security provisions, which means using “appropriate technical and organizational security measures” to protect against unauthorized processing and accidental loss, disclosure, access, destruction, or alteration of the data. Your business may want to consider encrypting the data, using pseudonymization or anonymization methods, or segregating the data from other data within your systems.
  3. Accuracy: Data should be kept up-to-date at all times, but under GDPR, individuals are now able to ask organizations to correct or update their data at any time if it is no longer accurate.
  4. Accountability: Companies that collect data are responsible for ensuring they themselves comply with their obligations under the GDPR. Not only will organizations be required to keep records to prove compliance, but they will also need to have policies in place to ensure compliance.

Keeping and Deleting Data

  1. Retention: Businesses can only hold on to personal data for as long as is necessary to fulfill the intended purpose of the collection. This means if the relationship ends for any reason, you need to have a data retention policy in place to outline how long you will keep an individual’s data as well as what the justification is for holding on to the data for that period of time.
  2. Deletion: If an individual requests their data should be deleted, organizations must comply with that request and confirm the deletion (not just from their own systems but from any other organizations that have collected and used that data as well).

It’s clear that getting in compliance with GDPR is a lot of work, and will take a significant amount of time and energy. However, with clear and concise policies and procedures in place, your organization can achieve compliance and will ultimately benefit from having clean, and more valuable data and marketing lists.

Disclaimer: This blog post is not intended to provide legal advice to help your company comply with the GDPR. We are providing background and information on the GDPR only. Any legal information mentioned above is solely for the purpose of supplying facts and details regarding the GDPR. You may not rely on this blog as legal advice nor as a recommendation of any particular legal understanding.