Still Not Ready for the GDPR? Here's What You Need to Know Right Now

Linda Formichelli

Welcome to 2018!

As you saw in last week's post, this year field service businesses can look forward to stiffer competition, new technologies like automation and the Internet of Things, more personalised customer service, and the GDPR.

Running a business isn't easy: Besides the trends we noted in that post, you need to be thinking about hiring the right employees, ordering the right parts and supplies, attracting new customers, keeping old customers happy, learning about and implementing new technologies, and generally staying profitable.

So where should you start in 2018?

We recommend you start with getting ready for the GDPR like right now. While every aspect of your business is important, if you don't comply with the GDPR you can be hit with whopping fines. Also, depending on how organised you've been with the data your business collects, it may take some time to get it all together and implement a plan.

We know winter is a crazy time for field service businesses, what with people's boilers breaking down and their pipes freezing, so we put together this quick Q&A of the GDPR basics. We're focusing on small and medium-sized enterprises (SMEs) here, since they're affected differently than humongous organisations.

What is this GDPR you speak of?

If we may quote that inestimable source, Wikipedia: 'The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)'.

In plain English, the GDPR gives individuals in the EU control over their own data—what's collected, how it's used, how long it's kept, and more.

(By the way, did you know Wikipedia is 99.5% accurate? That's why we don't mind using it as a source occasionally. Not to mention, Wikipedia has a nice summary of the GDPR you should take a look at.)

When is the GDPR deadline?

25 May 2018. If you're reading this post the day it came out, that gives you 143 days, or 101 working days, to make it happen. Looking at it another way, that's over four months—more than a third of a year! So don't freak out just yet.

(If you're reading this post later, say in April 2018, you have our permission to freak out. But keep reading, because the information here can help you get your ducks in a row fast.)

My field service business is so small; does the GDPR apply to me?

Yes, the General Data Protection Regulation affects all businesses that collect data from individuals in the EU. The extent to which the GDPR affects your business depends on the kind of data you collect, how much of it you collect, and what you do with it. You're likely not a high-risk business (more on that below), so you're exempt from certain rules. For example, organisations that do large-scale monitoring of data subjects must appoint a Data Protection Officer; if that's not you, then this rule doesn't apply.

But I'm in the UK! Does it still affect my business?

Mostly yes. According to an article in Wired UK, 'The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same'.

The GDPR gives your field service customers control over their data.

Are we still allowed to collect data?

Yes! Thank goodness—you'd be in big trouble if you couldn't collect employees' home addresses, customers' boiler data, or parts suppliers' payment information. However, under the GDPR there will be guidelines as to what data you can collect, how long you can retain it, what you can do with it, how you must protect it, and individuals' rights where it concerns their personal information.

I heard we need to have a privacy policy. What would it include?

Yes, you need to develop a policy so that everyone in your organisation collects and handles data in a GDPR-compliant way. This information will also be used in your privacy notice and consent requests (more on those below), and should include:

  • What information you collect.
  • How you use the data.
  • How it's within your rights to use the data for the purposes you stated.
  • How long you retain the data.
  • The fact that people have a right to complain to the Information Commissioner's Office if they think you're misusing their personal information.

Speaking of the ICO, they have their own guide to the GDPR you might want to take a look at.

I don't even know what information we collect from everyone! Now what?

Somewhere deep in the internal workings of your business, you probably have all the information you need to create a GDPR-compliant privacy policy. For example, the data you collect on your customers is likely lying around in your field service management app and your email marketing system. Your office manager may know how long you keep each type of data, why you collect it, who you're sharing it with, and how it's being secured.

Your task now is to unearth all that information and collect it in one place. To get a head start, just scroll down to the bottom of this post and download our free GDPR guide and checklist. This thorough guide includes more detailed information, links to additional resources, and a checklist where you can jot down the details you'll need to create all these GDPR policies, notices, and procedures.

TwitterIcon.png

Anxious about the GDPR? Simply knowing what data you collect & why is the first step toward becoming GDPR-ready. http://bit.ly/CSGDPR [TWEET IT OUT!]

We already tell website visitors we're collecting their data to send them our newsletter, Field Service Fortnightly. Isn’t that enough of a privacy notice?

Sorry, no. Your notice needs to tell people everything we mentioned about the privacy policy: What info you collect, how long you keep it, and so on.

We know this is all starting to sound pretty complicated, but remember that it's all related. Once you've done some research on what data you collect and why, you can simply plug this information into your privacy policy, privacy notice, consent forms, and more. (We hate to keep hitting you over the head with it, but that's what our free downloadable GDPR guide and checklist is for.)

Wait, I see we now need to ask for consent before collecting information? Like we don't have enough to do.

Yes, you need to ask people to opt in to whatever way you're using their data. (And those sneaky pre-ticked boxes are a no-go.) Luckily, though, you can find plenty of examples of GDPR-compliant consent forms online. This article on Medium, for example, offers lots of detail as well as design examples you can pilfer for your own business.

What does all this have to do with actually protecting people's data?

Well, you'll need to take steps to ensure that your customers', suppliers', and employees' data is safe and secure. This sounds like a huge task, but you probably won't need to do anything extreme. For many SMEs, strong passwords, and policies as to who in your business is allowed to access sensitive data, may be enough.

We won't go into all the details here since they'll be different depending on the size of your business and the data you collect, but you can check out the eight-point Guide to Data Protection from the Information Commissioner's Office. There, you'll find information on what level of security you need to implement, plus other details on data collection and processing.

We use BYOD. How does the GDPR apply to our field service engineers who use their own devices in the field?

Good question! You have a lot less control over data on your engineers' personal devices than on business-owned ones. If you have a BYOD (Bring Your Own Device) policy, your task is to know what devices your business data is on and to make sure they're secure. Information Age has a good article on 'Top tips for securing your mobile devices ahead of GDPR'.

MORE READING: Learn all about the pros and cons of BYOD for your field service business.

What happens if we experience a data breach even though we changed our passwords from '1234' to something more secure? 

As with a lot of General Data Protection Regulation policies, it depends. If the data breach might pose a risk to individuals' rights or freedoms, you need to let the ICO know within 72 hours, and also tell the individuals whose data was compromised.

The GDPR recognises a continuum of risk, from 'high risk' through 'risk' to 'low risk'. Wondering where you land? This article from the International Association of Privacy Professionals, 'Risk and high risk: Walking the GDPR Tightrope', digs into the details. (Don't panic, though, you are almost definitely not 'high risk'.)

I still have questions. Who can I ask?

The ICO started a free advice line just to help small businesses with their GDPR questions.

Where's that checklist you keep going on about?

Right here—just click on the banner below to download the free GDPR guide and checklist we created just for small- and medium-sized field service businesses.

GDPR

 

 

Share this article