Hello please - imminent GDRP (General Data Protection Regulation) legislation

[2018name]

Can anyone please help? A friend has asked me to help her out on her small business and the implcations of the GDRP. Talk about leave it late - I am no data protection expert and have found the literature available on this very complicated to understand. Can anyone please point me in the direction of something understandable and which can be applied to a small business? She runs a small furniture, crafts and furnishings business so at first look one might not think gdrp would be that relevant but she has a mailing list of about 5,000 people that she does use both for emailing and mail shots. This has been built over the last 10 years of trading made up of people who have signed up on her website at some point (though system not sophisticated enough to know when they signed up) or whose details have been collected when they bought items. Are there any guides somewhere that small business owners can actually understand? Thanks very much.

ICO guidance for small organisations ico.org.uk/for-organisations/business/

Plans need to be in place by the end of May 2018 and it will be strictly enforced in May 2020.

Angrybird, what's your source for that info please?

As she has a mailing list she will definitely need to comply with GDPR.

Part of GDPR states that you have to get your existing mailing list subscribers to opt in again.

I wonder if eBay sellers have to register?

Check out ICO.

I work in a small charity & we've done nothing yet 🙄

I had a mail from the National Trust which was good but have given it to colleague to prepare who's currently off sick! I think it's basically get in touch and ask everyone if they want to be kept up to date.

I believe the white company have done it with a voucher to entice people to stay on the mailing list!

She will need to send a mailshot/email out asking everyone on her list to co firm if they wish to remain on her contact list and confirm that the details are correct. Anyone who fails to respond or who asks to be deleted should be erased from her database. She will also need a privacy notice on her website/paperwork stating how any personal details collected will be used. If she shares with a 3rd party that is another consent which needs to be actively sought and how they use data checked. As a Data Processor she will also need to appoint a Data Protection Officer unrelated to the business to monitor and assist with Subject Requests and potential data breaches - most charge a nominal fee.

I would have thought many small business and charity organisations are running seminars in anticipation of this , with DPO organisations offering services. Otherwise there is a free online Futurelearn course which may help.

What does she use to manage her mailing list? Most 3rd party mailers (mailchimp etc) have guidance on how to reconsent your email list- if she is using a website that doesn’t have this maybe it’s time for her to move to a better provider as part of this process which may also allow her to get better deliverability of her emails and better CRM

The ICO site is confusing and having been to a couple of talks on it so many get outs and get rounds it’s untrue

But if unshore or unclear of consent - best to get everybody to sign up again but most won’t. I haven’t responded to any resign ups.

Also loving the amount of unsolicited spam about GDPR I’m getting.

She should also check she is registered with the ICO (under old and new law is required).

Also lots of people are confused but the email marketing rules in PECR are separate from general data protection law and likely to be revised next year by the way.