Now that GDPR is a thing, as an online business owner, you must check that your website legals comply with GDPR.  This live is all about who’s who in the GDPR jungle and YOUR role in your Privacy Policy.

This video is about what your role is with regards to your Privacy Policy. Are you a Data Collector or a Data Processor? Plus how to make sure your service providers are complying with GDPR.

In this video I want to address

  1. what it means to be a Controller of Information and the Processor of Information
  2. why it’s important to make sure that people you work with (i.e. share the information that you have collected or those who have access to it) are also GDPR compliant and have their Privacy Policies and practices set up so they are complying with GDPR.

A quick refresh

GDPR are the General Data Protection Regulations that are now enforced by the EU and is a peak body in relation to the collection of private information by businesses for necessary purpose either to conduct their business or for marketing purposes.

Your Privacy Policy now needs to comply with GDPR both in form and content. This means that how your Privacy Policy is structured and what information and disclosures your Privacy Policy needs to contain is now governed by the GDPR – the regulations.

To start with you need to identify yourself in your Privacy either as Controller of information or the Processor of Information, and if in your business you are both then you need to address that in your Privacy Policy document and how you do that depend on the structure of your business and your marketing.

Data Controller vs Data Processor

Its really important to understand the meaning of Controller and Processors – as these two roles are the main focus of the GDPR.

You as a small business are the Controller of information in the first instance – you control the means of collection of private information and the purpose for which it is collected. – the purpose by the way – has to be a legitimate purpose (another lives another time)

Sometimes you will be both the collector and you will process the information yourself. Other times you will hand over control of that information to an outside provider to use that information for a particular purpose – and this is usually for marketing and research purposes.

When you hand over control to another party – they are the Processors of Information.  These other parties are also third-party service providers in relationship to your business.  The first party is you, the second your client or website user/data provider and the third party is the processor who you have handed the control of the information you have collected.

So how can you ensure that the third-party processor such as a CRM you are using or email marketing software complies with GDPR.

There are some very simple steps to keeping a handle on this stuff.

  1. Make a list of all your processors. Providers like email marketing software, accounts software, cloud storage, CRM etc, marketing agencies, website developers – anyone who processes personal data under your instructions.
  2. Do some checking on all of your processors to see what they are saying about complying with GDPR.
  3. Make sure that you have a written Processor Agreement with all of your processors that contains all of the required provisions as set out in GDPR.

The big companies’ eg Mailchimp, they will have their own Processor Agreement incorporated into their terms of business). If your processor is smaller (such as a virtual assistant), then send them your own Processor Agreement.

The obligation is on you as the data controller to make sure there is a Processor Agreement in place.

  1. Work out whether each of your processors is based outside of the EEA or is transferring data outside of the EEA.

Mark where they are located and do they fall into one of the following categories:

  1. Processors located in the European Economic Agreement
  2. Processors located outside the EEA and the US but considered “adequate” in their data protection practices by the European Commission.
  3. Processors located in the US – are they registered on the EU/US Privacy Shield list – you can check on the Privacy Shield Database to see if the company is listed.
  4. If your processor is not located in the EEA or on the Adequacy list or registered on the Privacy Shield database and your data is being transferred internationally then your Privacy Policy and your Processor Agreement needs to contain standard clauses that hat been pre-approved by the European Commission.

As part of GDPR, we all need to be more vigilant about what personal data we are transferring and put in place safeguards to protect people’s personal data.

If you need to chat with me about your Privacy Policy or anything related to your website, please get in touch or start with one of my templates.

Shalini X