The GDPR train is fast approaching your platform on the 25th May and there are steps everyone will need to take before the it arrives.
It all seems pretty daunting and there is a lot to get your head around, so I’m going to try explaining it through a Thomas the Tank Engine analogy.
Think of ‘Data’ as passengers who would like to use the train… They want to get on the train for different reasons, some of them just love your train service (sign up to your marketing), others need to use it to go somewhere (buy your products/services), others enquired about your train service but haven’t caught the train yet (contact forms about your services/products)... etc.
You, as an individual or "legal person" (such as companies, Government Departments and voluntary organisations) are ‘Data Controllers’ - in Thomas the Tank Engine terms you’re ‘the Fat Controller’ (don’t take that personally).
The Fat Controller is in charge of all of the passengers (data) -
All passengers need to be made aware of where they are going, what ticket they’re buying and if they are safe… The control is now in their hands when it comes to their train journeys. Oh, and if their train does get hijacked, the passengers need to be told within 72 hours of the incident (rather long train journey, I know).
Where is Thomas the Tank Engine’s cameo in this delightful story I hear you say? Well, Thomas is known as a ‘Data Processor’ in GDPR terms. Thomas carries the passengers for the Fat Controller and makes sure that they all get to their desired locations safely (marketing, a sale, an enquiry etc).
It is the Fat Controller who has control over Thomas’ journeys, which passengers are picked up, where they want to go and the type of ticket they have bought, this is not Thomas’ role in this well-oiled partnership. In GDPR words, the data controller has the responsibility of writing the privacy policies, the cookie policies, the data policies and instructing the data processors of those - what the website contact form says, what opt-ins are available for marketing purposes etc.
However, Thomas must take steps to make sure his carriages are safe and secure so none of the passengers can fall off the train or get lost along the way. Thomas, or ‘Data Processors’ are anyone who handles your customers/clients/employees data for you - payroll companies, accountants, email client, marketing agency, website developer, CRM systems, cloud based software, server provider… the list goes on.
Okay, I think you’ve probably had enough of the Thomas analogy, back to real life GDPR stuff now...
The ICO have put together a really useful 12 step plan for organisations to follow… You can find the pdf here.
We, as a creative and digital agency cannot give you any legal advice on your steps towards becoming GDPR compliant, but we will try and offer guidance and help where possible. If you are unsure about what to do next, we recommend you study the ICO’s guidance or seek independent legal advice from a solicitor.
Mind the gap – all aboard!