Four letters you’re probably sick of seeing and hearing, yet you’re probably still wondering where to start.

This isn’t the first time new legislation and laws have come into effect, and it certainly won’t be the last.

So why didn’t businesses lose their minds over PCI-DSS? Or cookie consent laws? Or the registered name and address on websites rule? So many businesses still struggle with these. Others don’t even know what they are.

Note before I go on: I am not a GDPR expert, lawyer or data protection specialist. This blog is simply my own personal interpretation of a massive subject.

So why is GDPR different?

It’s perhaps the mere mention of €20m fines that’s made so many people sit up and pay attention. The power of social media and networking events has whipped up a GDPR frenzy, and with relatively little guidance for businesses. Of course, none of us SMEs (particularly like us as the ‘S’ end of SME) could afford a €20m fine in a million years.

But what’s the reality?

Simply, if you’re not doing anything wrong, GDPR is not out to get you.

Just today I had an email from a client saying “here’s the access code for my Square account you asked for” [Square is an online payment provider like PayPal]. I hadn’t requested any codes and luckily the client sent it to me as it was a scam.

It’s things like this the new legislation is setting out to combat. Misuse of personal data.

The email subscription management service Unroll.me recently announced it would no longer serve EU customers after May 24 as it “cannot comply with GDPR”. The company’s privacy policy says it has the right to collect a user’s data and decide what to do with it, including sharing it with third parties. It’s a case of stop doing that or stop doing business in the EU.

So if your business is trying to scam people into giving their passwords to you, or selling personal data to third parties, then perhaps GDPR is out to get you.

If however you’re emailing your existing customers and prospects about things they won’t be surprised to see in their inboxes, then you have little to worry about.

GDPR is as much about the storage and ownership of personal data (digital and physical) as it is about what you do with it.

It’s about security, it’s about transparency, it’s about accuracy and housekeeping.

So what do you need to do?

My approach to GDPR has been to stay composed, be patient and observe. I’ve been to multiple seminars (one of which was misinformed scaremongering), had consultations with lawyers, spoken to other business people, watched hours and hours of videos and webinars.

The general consensus out there is… there isn’t one. GDPR isn’t black and white. It has several grey areas (read up on legitimate interest).

My prediction is the bigger brands out there will do what they want. Some of it will be right, some of it will be wrong, and it will shape the further tightening of GDPR. But maybe not for five years or so.

The likelihood of the ICO turning up at your door on May 25 2018, or 2019, or 2020, or 2025… is pretty much zero unless you’re doing pretty naughty things with your data and getting lots of complaints.

There are still countless businesses that aren’t PCI compliant… and I’m sure there will be millions that aren’t GDPR compliant for years to come. [Note: PCI-DSS is the Payment Card Industry Data Security Standard and is similar to GDPR in that it encourages business to process card payments and store card details securely].

My advice, as a NON expert who has simply sat back and listened, is…

Bust the jargon

What’s a data subject? A data controller? A data processor? What does GDPR stand for? And ICO? And PECR? You probably need to know all this.

Decide what your lawful grounds of processing personal data is

There are six of them and you’ve probably only been told about ‘consent’ by scaremongers. Consent isn’t the be all and end all of GDPR. Look into the other five lawful grounds and see which one(s) are right for your business. If you haven’t heard of the six lawful grounds then you’ve probably been ill-advised and could be about to take drastic action for the wrong reasons.

Your lawful grounds of processing data will determine your answer to pretty much the only question I hear people ask… “do I need to ask my subscribers to re-subscribe”. The reality is you probably don’t. Cleansing a database and deleting those who aren’t opening or reading your emails isn’t such a bad thing, so decide what’s right for you in line with the lawful grounds of processing.

Audit your data

What do you hold? How long have you had it? How did you get it? Is it accurate? Do you need to update it? Do you still need it? Is it secure? GDPR aims for the legal, fair, transparent use of accurate data – you need to know what data you hold before you can comply.

Assess what you’re asking for

Specifically when dealing with customer data, sales enquiries etc, ask yourself whether you’re asking for data you don’t need. Do you really need a customer’s date of birth? If your product is age restricted, probably. If not, no.

Revise your policies

It’s not just about tick boxes on websites and sending emails to people. It’s also about what data you hold in your day to day working life… employee information for example. All employers will have to comply with GDPR and have privacy policies in place to accompany employment contracts.

It’s about security. Do you have access to customer or staff data on your laptop or phone? What happens if you leave it in a cafe?

Be transparent

When collecting data, tell people what you’re going to do with it, how long for, and give them their ‘right to object’ options. Go back to point 1 here…. there are occasions where your lawful grounds for processing data can overrule the data subject’s right to be forgotten (for example if you need to comply with the law in keeping data on file for a mandatory number of years).

See what everyone else is doing

The chances are, the big players in your field have spent time and money on this. They’re more likely to be getting it right and more likely to draw attention to themselves if they get it wrong.

Document all your decisions

The ICO wants businesses to generate awareness of GDPR and take steps toward being compliant. In some ways that’s all you can do right now. It’s best practice to have documented policies and procedures anyway.

And finally…

Don’t do anything I’ve said. I’m not an expert by any means. Find out about GDPR for yourself and only do what works for your business. Before you fire off an email to your contacts asking them to resubscribe to your newsletter, find out if you really need to. The reality is you probably don’t.