Like most people, when I first heard the acronym of death I was pretty disengaged. Since then, I have been on what can only be described as a rollercoaster of excitement learning the depths and detail of the issue at hand, — and working out what’s the easiest way to deal with GDPR. It’s been a real thrill, so I wanted to share with you all the experience of learning what GDPR actually means for me, and how I can largely avoid it. Spoiler: there’s some helpful info at the bottom if you want to skip straight to that.
Buckle up folks.
May 1st — May 24th 2018
Did you know there’s f*cking more to GDPR than just agreeing to emails? This thing is endless and actually quite good for privacy (if you gloss over the fact that both Google and Amazon can listen to my every word).
I had a little moment of:
And then wrote this cheat sheet for all you need to know about GDPR The Sequel (aka the real shit) — particularly if like me you have lots of info about people stored in spreadsheets.
STORING INFO ABOUT SOMEONE IN THE FIRST PLACE
First up — there are now rules around why you can store someone’s data (which can be anything from their email address and phone number to their card details and copy of their passport). Here are the 6 reasons you can store someone’s data and comply with GDPR:
- They’ve given you consent to process their data for a specific reason
- Because you’re entering a contract with them and to do so need to process some data
- To comply with the law you need to process data
- It’s going to protect someone’s life (I like this one most)
- The data needs to be processed for that person to perform a task in the public interest or official functions
- There’s a legitimate interest of yourself or a third party (e.g. if as a business you need to store data on behalf of someone else)
WHAT YOU DO WITH THAT INFO NOW YOU HAVE IT
Now you’ve got that data (and confirmed you have a legal reason for storing it) there are a few things you have to make sure you’re doing with it:
- Keeping it secure
- Not sharing it with other parties (that includes things like sharing your Google Doc of invitees to an event with another company)
- Keeping control of that data, knowing who has access, and when they accessed it
- The ability to tell someone all the data you’re keeping on them
- The ability to delete someone entirely from your database — this means evvvverrrrything.
- Not having ‘stale’ data — aka if you’ve had it for 2 years with no updates you have it refresh or remove this contact
That’s the bulk of it folks. If you think you might struggle to comply with all this by just using your trusty spreadsheet, check out stitch > stitchapp.cowhich is the reason I’ve spent so long learning about GDPR in the first place. It’s a way to manage your network of contacts and their details which handles all the GDPR compliance for you. You can upload your spreadsheet direct to it and BAM — you’ve got an easy way to respond to GDPR data requests, deletion requests and a way to avoid keeping stale data. It’s also generally just a much nicer way of managing your contacts than a spreadsheet but that’s another story.