GDPR

25 April 2018 17:51
GDPR

If you deal with customers, no matter how small your business is, you will soon need to comply with, The European General Data Protection Regulation (GDPR for short) regarding processing of the data: collection, storage and usage of personal information. This applies to e-mails, addresses, names and phones. So, if you are collecting any of this data daily, you’ll need to comply with the GDPR, whether the data’s on a notepad, in an excel spreadsheet, on your computer network, your mobile phone, or in the cloud.

In this short article we have decided to outline what it might mean for a locksmiths business.

It might sound scary and like a burden, but in general following GDPR rules can show to your potential and existing customers that as a locksmith you are keen to respect the rights of personal information, and it may make people trust you more. No one likes having their data misused, lost or stolen and doing everything you can to protect your customers and grow their trust could be a unique selling point.

What is GDPR?

GDPR is built around two key principles.

  1. Giving citizens and residents more control of their personal data

  2. Simplifying regulations for international businesses with a unifying regulation that stands across the whole European Union

Start date

GDPR will be effective from 25/05/18.

GDPR overview

  • It will apply to any business that processes the personal data of EU citizens.

  • Your customers will have more rights on how you deal with their data. They will now have the ‘right to be forgotten’ in case they decide not to receive any information from you or wouldn’t want you to process their information (for example the individual is no longer a customer) so your contract with them no longer gives you a legal right to keep the data

  • Failure to comply will result in penalties. The GDPR will allow very high fines in cases of noncompliance (if one of your customers reports you).

GDPR checklist for locksmiths

1.Customers’ data. 

You need to collect personal data (e.g. name, address, email, bank details and etc.) and ensure that customers give you consent to process the data if you will be using this data for any marketing activities.

The consent needs to be clear, specific and explicit. Your consent statement should describe:

  • why you’re processing their personal data (the purpose), including the legal basis you have, such as consent (check the ICO’s privacy notices page for more information)

  • the categories of recipients you may be sending the personal data to (customer, employee, supplier, etc)

  • Use a positive opt-in (don’t rely on pre-ticked boxes or default options)

  • Explicit consent means a very clear, specific statement of consent

  • Keep your consent requests separate from other terms and conditions

  • Make it easy for people to withdraw consent (and tell them how)

  • Keep evidence of the consent (who, when, how and what you’ve told people)

For example, your customer will need to sign a form which states:

“{your Company name} will use the information you provide on this form to get in touch with you and to call, e-mail and send direct mail with marketing updates. Please let us know all the ways you would like to hear from us:

{check box} Phone
{check box} Email
{check box} Direct Mail

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at {add your e-mail}. We will treat your information with respect. For more information about our privacy practices please visit our website. By signing below, you agree that we may process your information in accordance with these terms.

{Place for signature}


2. Internal security measures and training. 

You’ll need to have an internal document which clearly explains to all employees (if you have any) how you will need to collect, process and store the data. Ensure that your employees understand what constitutes a personal data breach and build processes to fix it.

3.If a customer requests to delete/amend his data. 

Under GDPR each request from the customer has a timeframe and deadline of one month, from the original date of request.

4. Your website. 

If you use cookies on your website or have a newsletter subscription form, you need to make sure that you amend the wording of both. See point 1.

5. Your e-mail database. 

If you have a database of e-mails, make sure that you have a clear recorded consent from each subscriber. If you don’t have a sufficient consent, you will not be able to send them mass e-mails after 25th of May 2018. And bear in mind, that consent can no longer be hidden in small print but must be presented clearly – so no more pre-marked boxes. See point 1.

There are penalties for not following the GDPR guidelines. Insolvency will be a real risk for non-compliant businesses because of these fines. But bear in mind the possibility that individuals can also sue you, if they suffer because of your data management. This could be for material damage or non-material suffering, such as distress.

Helpful links

The website and checklist below are great resource for small businesses looking to step in-line with the GDPR.

ICO resource centre (small organisations and the GDPR)
ICO 12-step checklist

In general, GDPR might help you to earn your customers’ trust, to showcase that you are a company that respects personal data.

DO YOU ALREADY RECEIVE OUR NEWSLETTER?

We always try to share useful industry information with our APECS NEWSLETTER subscribers. If you are not on the list, please follow the link to be up to speed with industry news, APECS product offers and special event invitations.