GDPR Forms and Record Keeping

19 Apr | by Freya Swenson

Data, it's valuable and it's everywhere, but are you using and saving it right? Where it’s stored really matters!

As we summarised in the last post, GDPR is all about personal data and how it’s generated and used. Now we’ll talk about why where it’s stored matters.

Think of data like pound coins, they can get ‘stored’ in your wallet, the bottom of a bag, in a money pot or even down the back of a sofa… it’s valuable currency but that small coin can get easily ‘misplaced’. Data can be exactly the same, it can be stored somewhere safe such as within a CRM system, on email campaign generator site, mailing lists, servers or more dangerously, (without you knowing) downloaded into a document and saved on a team members computer.

You need to stay on top of where the data is saved and then evaluate how you intend to collect, use, protect and delete it should someone request their ‘right to be forgotten’. It's just a case of managing the data in the most effective way for your business (and we'll give you some ideas how you can do that in a later email).

We wish it was as easy as putting an unsubscribe button on the bottom of your emails and thinking that solves everything. A way around this could be to create particular lists as they don't want to know about that 'topic' but they may want to know about some other topics. With new lists, you'll then need a database that manages what you can and cannot contact them about.

If you get investigated, GDPR will ask how you’re protecting the personal data from the day it’s collected until the day it’s no longer needed and then, how it will be destroyed in the most appropriate and secure manner. You’ll need to be prepared to know this, otherwise you’ll be looking at that fine we spoke about in email 1 (yup, the 4% of the companies annual Global turnover)!

Because GDPR will also look at how the content is collected in the first place, it’s worth considering if the data you’re collecting is really required e.g do you need their home number and the mobile number if you’re not intending to contact them by phone? It will also clamp down on any auto tick boxes that ‘automatically’ subscribe the user to something such as a newsletter when they place an order.

It’s worth reviewing sooner rather than later any forms (digital or not) and where the data comes from and thinning it down if it's not needed. Areas where personal data could be generated from can include:

  • Newsletters
  • Autofill forms
  • Manual fill forms
  • Delivery address
  • Payment for items
  • Registered card address and details
  • Social media posts for UGC (user-generated content)
  • Mobile location check-ins
  • Forums
  • Contact phone number

Once you’ve viewed the data, you’ll need to audit your findings so you can clearly show:

  • You know what personal data your business holds and where it’s located across your entire digital landscape
  • You have, and will continue to properly manage the process for getting consent from individuals who are involved (e.g tick boxes, unsubscribe links etc)
  • You can prove who in your business uses the personal data, what the data is exactly and for what purpose
  • You have put the appropriate processes in place to manage data requests from the public such as the right to be forgotten

To read the official regulation on this, click here although be warned, it’s not a light read.

In the next email, we’ll talk about how to advertise to people who haven't given you permission (yes, there are ways around it).

In the meantime, keep on being awesome.