I realise that leaving it until the 9th May to sort out my GDPR is leaving it a tad on the late side. My excuses (we all have them) is that I have a simple business structure and have always sought explicit permission to use people’s data.
That said, the time has come to sort it!
I admit to being reluctant to take it on. It’s not my idea of a good time (shocker). I read some summaries of the GDPR regulations and they nearly sent me into a coma.
However, I had a chat with someone last week that made me crack on with it. That someone was Stacey Richard from Surbiton Sitters. The structure of her small business is extremely complex for its size and she holds very sensitive information on a staggering number of people; clients, their children and all of her 80 staff members. Plus; it’s riddled with possible data breaches, mainly through the passing around of customer and employee information.
Luckily, Stacey has always run a tight ship process-wise and she has an analytical mind. She admitted to doing the whole running like a headless chicken bit then produced a surprisingly simple audit.
With her permission I have used her process for my own business, and here it is!
Disclaimer: I’m not a lawyer nor a GDPR expert (and neither is Stacey). I’m still working through my own processes. If you notice something I’ve missed out, then please please tell me! By sharing my workings I’m hoping to help other people find a way to audit their business that will work for them. That’s the kinda gal I am.
Step 1. List all the ways that data enters your business and the ways in which you use that data.
I did mine in a mind map first. Remember to include staff, suppliers and business contacts as well as customers.
If you can’t read my hideous writing, here’s my list;
- ‘Promote Your Business’ programme leads and applicants
- Email list subscription- new and current
- Coaching or mentoring client- new and current
- Usage of testimonials and/ or client photos in marketing material
- New contact made through networking (online and offline) e.g. peer, influencer or supplier
- New enquiry- general
Step 2. Open up a spreadsheet and create one sheet per item (so I’ve got 6 in mine)
Break down your data ‘processing’ into steps and put them into column titles i.e. how you are storing, using and transferring the data.
The red, amber, green classification is used to indicate if there’s a ‘data breach’ risk i.e. data being handled by someone who’s not meant to.
For example, I’ve used red for anything where I’ve noted down something on paper. In reality, the chance that I leave my notes on a train, it gets picked up by someone despicable and they do something terrible with that info, is really small. For other people the risk is much greater.
As you can see, I’ve added a separate line for each data channel. In other words, how the data came to be in my possession.
Step 3. Mitigate the risks
For every amber and red box, think of a way to reduce that risk as much as possible. Check every angle. For any business to function smoothly there will be some risk of a data breach, the aim here is to reduce to it’s minimum and be able to prove that you’ve done so.
One down and five to go for me!
Here are some other questions I’m asking myself as I go through;
- Will I be able to dig out a record of a person granting me permission to keep and use customer data for each separate purpose?
- How long is it reasonable to keep someone’s data ‘just in case’ they want services from me? If I can’t get explicit permission from them, how often should I purge my contact’s data?
- Is access to sensitive data as limited as possible? This is reasonably straightforward for a business of my size; I’m the only one who has access to a contact’s data. However, it makes sense to double check that all my suppliers’ security is up to scratch e.g. email provider.
Have you sent any resubscribe emails to your subscribers yet? Have you had to make any major changes to the way your business works? I’d love to know how it’s going for you.
About Janine Coombes
I’ve worked in huge marketing-oriented organisations, in teams of hundreds of marketers. By simplifying those big business processes I can cut out the noisy clamour of marketing ‘must do’s’ and help you realise a simple plan that will work for your company. I’m currently accepting applications for the Promote Your Business action plan programme. Email me at firstname.lastname@example.org for more information or message me on LinkedIn.