Business Law & Compliance

Don’t let scaremongering get the better of you – stay calm and get GDPR compliant

4 min read

21 March 2018

Former special projects journalist

GDPR will come into effect in fewer than 100 days, so now is the time for businesses everywhere to assess the way employee and customer data is processed and held. Direct mail provider, Pepper, explains the changes it has made to ensure compliance.

GDPR will come into effect in fewer than 100 days, so now is the time for businesses everywhere to assess the way employee and customer data is processed and held. Direct mail provider, Pepper, explains the changes it has made to ensure compliance.

The General Data Protection Regulation (GDPR) is due to come in on 25 May, and aims to create a harmonised approach to EU citizen data privacy. Any businesses which fail to get GDPR compliant by this time can face heavy fines, so for those that have yet to start making preparations, now is the time.

Pepper is a Plymouth-based family business with 61 employees. It delivers print and direct mail solutions managed by a team of printing and direct mail professionals.

Why is it so important to your business to look after this data securely?

As a direct mail marketing company, it is incredibly important that we look after data securely. We want to protect the rights of the individuals’ data we hold and protect ourselves from any potential breach.

Do you think GDPR is a daunting prospect for small businesses in general?

I think many businesses are rattled and a little scared of the headline fine numbers and may find it daunting because of the way GDPR has been discussed and outlined. There are also many myths which small business owners may have come across before reading up on GDPR in full.

What steps have you taken to make sure you are GDPR compliant? Have you had to make a lot of changes?

We discussed with the board agreed the importance and opportunity aspect of the regulation

(1) We mapped our data movements in and out of every department, so we could understand where data is held, where it came from, and who has access to the data

(2) Reviewed our privacy notices to confirm how we use data in jargon free terms

(3) Understood our responsibility regarding individual’s rights

(4) Set up processes to make data accessible to handle information requests when required

(5) Reviewed data processing procedures and agreed new policies

(6) Reviewed consent processes and included this in our revised data processing contracts

(7) Reviewed all procedures and policies, including breach notification polic

(8) We have enforced privacy by design so that all data is encrypted with 256-AES encryption on site and when transferring data online to customers

(9) We have assigned a DPO

(10) Attended industry specific seminars explaining the impact of GDPR on the direct marketing industry

(11) Created an easy to follow guide highlighting the key overview parts of the new regulation to use as a training reference internally

(12) Trained internal teams company-wide explaining new policies and the importance of everyone’s duty to abide by the policies

(13) Booked BSI GDPR training

(14) Help and advised our own customer base with a reassuring helpful and positive message regarding GDPR and their responsibilities

(15) Applied for GDPR certification.

What do you think are the pitfalls for small businesses when it comes to GDPR?

The main pitfall is that GDPR will create a drain on resource for many small businesses. GDPR is very lenient on direct marketing so there are not as many limitations as what may have been originally perceived in the media, as outlined in our GDPR compliance guide.

What would your advice be to any small businesses feeling panicked by GDPR?

I would advise to not read the scaremongering headlines but to spend a little bit of time following a resource or guide around it. Do not panic, review and update your processes/procedures/policies and put the individuals’ rights at the heart of your data strategy.