If you deal with customers, no matter how small your business is, you will soon need to comply with, The European General Data Protection Regulation (GDPR for short) regarding processing of the data: collection, storage and usage of personal information. This applies to e-mails, addresses, names and phones. So, if you are collecting any of this data daily, you’ll need to comply with the GDPR, whether the data’s on a notepad, in an excel spreadsheet, on your computer network, your mobile phone, or in the cloud.
In this short article we have decided to outline what it might mean for a locksmiths business.
It might sound scary and like a burden, but in general following GDPR rules can show to your potential and existing customers that as a locksmith you are keen to respect the rights of personal information, and it may make people trust you more. No one likes having their data misused, lost or stolen and doing everything you can to protect your customers and grow their trust could be a unique selling point.
GDPR is built around two key principles.
Giving citizens and residents more control of their personal data
Simplifying regulations for international businesses with a unifying regulation that stands across the whole European Union
GDPR will be effective from 25/05/18.
It will apply to any business that processes the personal data of EU citizens.
Your customers will have more rights on how you deal with their data. They will now have the ‘right to be forgotten’ in case they decide not to receive any information from you or wouldn’t want you to process their information (for example the individual is no longer a customer) so your contract with them no longer gives you a legal right to keep the data
Failure to comply will result in penalties. The GDPR will allow very high fines in cases of noncompliance (if one of your customers reports you).
The consent needs to be clear, specific and explicit. Your consent statement should describe:
why you’re processing their personal data (the purpose), including the legal basis you have, such as consent.
the categories of recipients you may be sending the personal data to (customer, employee, supplier, etc)
Use a positive opt-in (don’t rely on pre-ticked boxes or default options)
Explicit consent means a very clear, specific statement of consent
Keep your consent requests separate from other terms and conditions
Make it easy for people to withdraw consent (and tell them how)
Keep evidence of the consent (who, when, how and what you’ve told people)
For example, your customer will need to sign a form which states:
“{your Company name} will use the information you provide on this form to get in touch with you and to call, e-mail and send direct mail with marketing updates. Please let us know all the ways you would like to hear from us:
{check box} Phone
{check box} Email
{check box} Direct Mail
You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at {add your e-mail}. We will treat your information with respect. For more information about our privacy practices please visit our website. By signing below, you agree that we may process your information in accordance with these terms.
{Place for signature}
2. Internal security measures and training.
You’ll need to have an internal document which clearly explains to all employees (if you have any) how you will need to collect, process and store the data. Ensure that your employees understand what constitutes a personal data breach and build processes to fix it.
3.If a customer requests to delete/amend his data.
Under GDPR each request from the customer has a timeframe and deadline of one month, from the original date of request.
4. Your website.
If you use cookies on your website or have a newsletter subscription form, you need to make sure that you amend the wording of both. See point 1.
5. Your e-mail database.
If you have a database of e-mails, make sure that you have a clear recorded consent from each subscriber. If you don’t have a sufficient consent, you will not be able to send them mass e-mails after 25th of May 2018. And bear in mind, that consent can no longer be hidden in small print but must be presented clearly – so no more pre-marked boxes. See point 1.
There are penalties for not following the GDPR guidelines. Insolvency will be a real risk for non-compliant businesses because of these fines. But bear in mind the possibility that individuals can also sue you, if they suffer because of your data management. This could be for material damage or non-material suffering, such as distress.
The website and checklist below are great resource for small businesses looking to step in-line with the GDPR.
In general, GDPR might help you to earn your customers’ trust, to showcase that you are a company that respects personal data.
"Their 3-star cylinder range has become our go-to product to offer homeowners and the quick turn-around on orders has been a big help to our business"
"Working with APECS has been great. They are both friendly and professional to deal with and all of the products we have used have been of the highest quality."