With GDPR coming into effect in just 3 weeks time, I thought I’d share my thoughts and experience so far of our journey here at WeddingDates. Initially, like everyone running their own business I was a little daunted by what we needed to do to ensure that we are GDPR compliant!
We are a software company and our entire business model is based on sending enquiries from our site through to wedding venues and suppliers so we are very much in the data business.
GDRP is all about Personal Data.
This is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The data we gather in WeddingDates i.e. name, address, email, IP address falls within this. When someone sends an enquiry through our website, we email the venue or supplier with an alert and that data is then stored in their enquiry manager software. We do not opt people into our newsletter automatically nor do we share that data with any other venues or other 3rd parties. They can opt in to our newsletter and they have the option to unsubscribe to our newsletters at any stage.
So as the owner of WeddingDates, I have a duty to users of our site, subscribers to our newsletter and our social media and to my team to ensure we properly control and process their personal information. I read up on it, attended seminars on it but ultimately what has worked for us has been to get a GDPR Consultant into WeddingDates to do a complete audit for us.
What strikes me going through this process is that businesses that embrace General Data Protection Regulation (GDPR) compliance will gain a commercial advantage over those that do not. Businesses that do not comply with the Regulation will get complaints and that will only serve to increases the risk of penalties and therefore unnecessary cost to their business. So… I think for SME’s it is well worth spending money now on getting the right advice.
As a team here in WeddingDates we have all completed online training modules. We then all sat down individually with our GDPR Expert and discussed how our operations run. They come back and presented us with a very comprehensive audit of where we are at in terms of our risk factors and what we need to do to improve those if any! Risk can be low, medium, high and major. Thankfully we don’t have any high or major risks to deal with as we have been very compliant with data protection since we launched our business 10 years ago.
Many people out there think that simply updating your Privacy Policy is enough! Well it’s a good start but there is a lot more to it than that.
Our Audit highlights three sections under the regulation:
- Physical Section
Down to things like locking doors and windows and having proper security procedures - Data Protection Section
This is at the core of GDPR, what personal/sensitive data does your company hold on individuals? A data mapping process needs to be gone through to see where information comes from and how it is dealt with. - Policy Section
Are there properly documented policies and procedures, supported and enforced by management?
What we’ve done at WeddingDates
We have been given guidance under each of these headings which we are now addressing. Worth noting that all GDPR and associated data protection activities will need to be audited at least annually.
Before 25th May 2018 WeddingDates has undertaken the following activities in order to be GDPR compliant:
- We contacted our email marketing database to inform them of their rights around GDPR and offered them to unsubscribe from our newsletter.
- We made the unsubscribe link on our newsletter more prominent.
- We updated the Privacy Statement on our website to be fully GDPR compliant.
- All WeddingDates employees are undertaking e-learning courses on GDPR and cyber security. This is provided by an external company specialising in this subject, called Enguard.
- We underwent a full company audit of our physical & electronic data storage as well as the uses of the data we collect and store and have an audit report that we are working through as a result of that exercise. This audit was undertaken by the same external company, Enguard.
- We have engaged with our product development team to perform the necessary improvements to our product to improve user experience and comply with GDPR.
- We’ve updated our internal policies and procedures for GDPR compliance.
- All employees have been provided with an updated company handbook which outlines the updated policies and procedures.
This is here to stay and needs to be embraced and part of business as usual. My only advise on this topic, as I am not an expert, is to seek the advices of someone who is to ensure you a taking the right steps. We used an external company called Enguard – www.enguard.ie
All the best with GDPR! If you are in a wedding venue and looking for tips on how to get ready, then check out my other post.
Ciara Crossan
CEO & Founder of WeddingDates – Celebrating 10 Years in Business
