The General Data Protection Regulation is a new privacy and data protection law that came into force on May 25th, 2018 and affects any business that is based in the EU or stores personal information about someone in the EU (this includes customers, leads or anyone you store information about).
This isn't legal advice—we recommend getting professional advice if you’re unsure how the GDPR will affect your business and what your obligations are.
Data privacy breaches have become a serious international problem, from identity theft to the illegal distribution of personal data or the prevalence of phishing scams—it is important your personal information is safe and not vulnerable to unlawful distribution. However, if the privacy of your personal information has been compromised, it is usually too late to do anything about it. Rather than waiting until it’s too late, the GDPR is a pre-emptive strike against data management practices that make personal information vulnerable.
The GDPR states that it “...protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” (Chapter. 1, Article. 1). It has been carefully designed to feature a range of data protection regulations to protect the personal data of individuals.
Rocketspark has always kept a high standard of data protection for anyone we have information about and we welcome the changes ushered in by the GDPR to raise the standard for all businesses that store personal information.
The GDPR mentions transparent or transparency 25 different times, so it’s safe to say it’s a key theme of the GDPR. Businesses need to be able to show what information they hold about a person and what they use that personal information for.
“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.”GDPR (39)
The GDPR also talks in detail about the rights of the individual with regards to the protection and processing of their personal information data:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- and the right not to be subject to automated decision-making including profiling.
There is so much more detail packed into the GDPR but for the purpose of this high level introduction, we’re focussing on some of the key points that will affect small businesses.
To explain how Rocketspark is compliant with the GDPR, it’s helpful to understand the 3 key groups of people Rocketspark holds personal information about:
1. Potential customers who have explicitly given us permission to email them
- These people signed up via an online form giving clear consent that they were supplying their details to be contacted about Rocketspark or signed up at a trade show or event to be sent more information.2.
2. Current paying customers of Rocketspark
- We keep information about paying customers like name, physical address, phone number, email address because they are required for several critical aspects of our service like registering domain names, billing for credit card payments or in the case of email, logging in to their account or receiving important emails about their service.
3. Past customers of Rocketspark
- If a customer closes down their account with Rocketspark, their details and website account history are kept as a private record at Rocketspark. The reason for this is that businesses reactivate their account with Rocketspark after closing it down and it is helpful for them to be able to quickly reactivate without creating a whole new account.
As per the GDPR’s right to be deleted if any of these groups of people request Rocketspark to delete all instances of their personal information, we would follow through on that and in the case of current paying customers, you would first need to close your account with Rocketspark.
- We have created a GDPR compliance plan and have been working through our requirements under the GDPR, such as appointing a data protection officer and other changes.
- All Rocketspark staff have been trained on the GDPR requirements.
- Written internal processes for correctly handling requests by someone to exercise their right to be forgotten and the erasure of personal information.
- We have done an assessment of all of the systems we use to store or process personal data and the reason why that data is stored.
If you’re a business that’s based in the EU or have clients in the EU where you store their personal information in any way (even if just an email database, that counts as personal information), you will need to comply with the GDPR.
- Make sure there is a way for you to delete all instances of customer data if someone were to request their personal information to be permanently deleted. For financial and contractual data we recommend you contact your own advisors about the data you are legally required to retain.
- If you use third parties to store or process customer data (for example an email marketing software), check if that software is GDPR compliant (usually a quick Google search of the software provider + GDPR will tell you whether they are compliant or not).
- When you send marketing, make sure you’re only contacting people who have given their consent to be contacted.
- Then add a stack to your home page and add a text block.