I have over 12 years of experience in quality and compliance. I knew when I set up my business, especially as I grow it, I would need documentation to support it. At the moment, it is just me, so I could say everything is in my head. But compliance is the bedrock of a business. I am a firm believer: get the foundations in, and you can build anything.
I had an incident that meant I had to trigger my business contingency plan recently.
My computer has been ‘off’ for a few days, and then it just went ‘the computer says NO!’. I did what most would do: see what was going on and see if I could fix it myself, including the obligatory turn it off and on again. Still nothing.
At this point, I could have gone into panic mode. My computer was not letting me open anything. I could not work. I could not access my calendar or emails on the machine. There is no way to do anything on this machine.
Triggering the contingency plan
As I said, I have a contingency plan that was triggered yesterday.
Contact my (outsourced) IT team, who were messaging me to determine what was happening. They couldn’t access the machine due to the issue.
I pulled out my MacBook
Internally record the incident
Reporting and Investigating
I wrote the process, so I did not need to check what I needed to do. I know I have to record and investigate the incident internally and assess the origins of the incident and the impact, if any, on the data.
As a data protection consultant, I wondered if it was malware or had been hacked. But, on investigation., it looks like human error. In short, I made a mistake transferring some files from one cloud to another, which sent the computer into overdrive and clogged its memory. No memory, no way to work. Hold on – all my work is done on the computer. How the hell am I going to support my clients?
So, no data was lost or compromised. That also means that I don’t need to report it to the ICO.
Lessons learned
So why should I record and share my mistakes? There are a few great reasons.
To help you learn and not make the same mistakes I do
To reduce the risk of it happening again. I always say reduce. We are human, and we make mistakes.
To show that we all make mistakes around information, technology, and data, even data protection consultants. It is what we do next that is important.
Highlight that human error is one of the biggest causes of data incidents and breaches. It is not something to be punished for if accidental.
Why does it matter?
It is important to write it down for micro and small businesses. Ok, so as I write this, the only employee is me, but I outsource work. I have a team. But there is still a lot of learning to do.
There are a couple of reasons why I write it down
Reflection
Reflection is a great tool. How often do we hear “in hindsight …”. From reflection, we learn what went wrong and what we need to do to improve. It can not take away all the risks but reduces them.
If it is not written down, it did not happen.
Having a written record of factual events is a good way to show, internally and externally, what went wrong and what was done to sort it out. It is much harder to show what was done if there is no record.
Keep me on track
By having a record of lessons learned from my investigation, I am giving myself an action plan to do. Again, if it is not written down, where is my record that I have to change something or that I have?
As a small business owner, I recently experienced a major incident that forced me to activate my business contingency plan. It all started when my computer suddenly stopped working, leaving me unable to access any files, calendars, or emails. Panic set in as I realized the extent of the issue and its impact on my ability to work and support my clients.
Fortunately, I had the foresight to establish a contingency plan for such situations. I immediately contacted my outsourced IT team, and they began working to resolve the problem. In the meantime, I quickly switched to my backup MacBook to continue my work.
This incident prompted me to reflect on the importance of incident reporting and preventive measures for small businesses. I realized that having a solid documentation system in place is crucial, even for a one-person operation like mine. Compliance and data protection are the foundation of any business, and proper incident reporting is essential to maintaining that foundation.
In the aftermath of this incident, I took the time to record and investigate what had happened. It turned out that the issue was caused by a simple human error on my part – a mistake I made while transferring files between cloud platforms. This caused my computer’s memory to become overloaded and rendered it inoperable. Thankfully, no data was lost or compromised, so I didn’t need to report the incident to any regulatory authorities.
Sharing and recording my mistakes serves several important purposes. Firstly, it allows others to learn from my experience and avoid making the same errors. Secondly, it helps to minimize the risk of similar incidents occurring in the future. It’s important to acknowledge that we are all human and prone to making mistakes, especially when it comes to information, technology, and data. What truly matters is how we respond and take preventive measures moving forward.
For micro and small businesses, documenting incidents and lessons learned is crucial. Even if you are a sole proprietor or outsource work, there is still much to gain from this practice. Reflection is a powerful tool for learning and improvement. We can reduce the likelihood of future incidents by analyzing what went wrong and identifying areas for improvement. Additionally, having a written record of factual events is essential for internal and external communication. It demonstrates transparency and accountability, making explaining what happened and how it was resolved easier. Lastly, keeping a record of lessons learned provides a clear action plan for making necessary changes and improvements.
In conclusion, incident reporting and preventive measures are vital for small businesses. By proactively addressing and documenting incidents, we can learn, grow, and minimize the impact of future issues. Remember, it’s not about avoiding mistakes altogether but rather how we respond and improve to ensure the continued success of our businesses.
In the last couple of weeks, unwanted emails have increased. Either that, or I am hearing more complaints about the number of unwanted emails and messages people receive. Email marketing is essential for businesses to reach their target audience and promote their products or services. However, it is crucial to understand the importance of consent when engaging in email marketing campaigns. In this blog post, we will explore the concept of consent in email marketing, including when you need to ask for consent, using lead magnets, and the relevant UK legislation.
As we discussed in our blog ‘GDPR, Business and Social Media’, email marketing is regulated by two key pieces of legislation in the United Kingdom: the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
The PECR specifically addresses electronic communications, including email marketing. It sets out rules regarding consent, privacy, and electronic communications that differ between individuals and registered businesses. It is important to know that not all businesses should be treated equally.
You may have noticed that I use business and organisation in my blogs. That is because a business and a company have slightly different meanings.
A business does not have a distinct legal status. It operates under the legal framework governing business ownership, such as sole proprietorship or partnership. On the other hand, a company is a separate legal entity with its own rights, responsibilities, and obligations. A company is registered in Companies House, and that depends on the location in the UK you are.
Now, in relation to PECR, a business is a sole trader (and certain partnerships) and, therefore, must be classified as an individual, as it is not a separate entity, and therefore consent is required.
Under the GDPR, individuals (including sole traders and some partnerships) can control how their personal data, including email addresses, is used. As a business, you must comply with the GDPR by obtaining explicit consent to process data from individuals or having a legitimate interest before sending them marketing emails.
Obtaining Consent
Now, GDPR and PECR are interesting. Under PECR, obtaining consent from your individual subscribers is a fundamental requirement in email marketing. Consent ensures that you have the legal basis to market to individuals via email. You must ask for explicit consent before adding an individual to your email list. This means that individuals need to explicitly opt-in and provide their consent to receive marketing communications from you unless they are existing customers.
You may add existing customers to your list through a ‘soft-opt-in’. This means you can only send them marketing messages offering goods or services similar to those they have already purchased. The same rules for opt-out apply.
Lead Magnets and Consent
A common strategy used in email marketing is the use of lead magnets. Lead magnets are valuable incentives you offer your website visitors in exchange for their email addresses. These can be in the form of e-books, whitepapers, exclusive content, or discounts. While lead magnets can be an effective way to grow your email list, it is important to ensure that you obtain proper consent from the subscribers who sign up through these lead magnets. This means putting the checkbox to consent before signing up and DO NOT link it to the download button. Saying they have to consent before downloading does not allow them to consent freely.
What can I do if I receive unwanted emails?
If you believe you are being sent electronic messages and you have not consented or that they are still sending you them after you request to stop, report it to the ICO. How can the ICO know it is happening without reporting it and taking action? The more they are reported, the more evidence they have, and the more people complain, the more likely action will be taken. Click here to go to the ICO website and see how.
Conclusion
Email marketing is a powerful tool for businesses to engage with their audience and drive conversions. However, it is essential to prioritize consent in your email marketing efforts. Always obtain explicit consent from individuals before adding them to your email list, and be transparent about how their data will be used. Additionally, comply with relevant UK legislation, such as the GDPR and PECR, to ensure you adhere to legal requirements and protect your subscribers’ rights.
By following best practices and respecting the importance of consent, you can build a strong and engaged email list while maintaining trust with your subscribers.
We have created a quick guide to email marketing and the regulations. Download your copy here
Social media has become an integral part of our lives, and it’s hard to imagine a world without it. Whether for personal or business use, we use social media platforms to connect with others and share our thoughts, experiences, and ideas. However, with the convenience of social media comes the responsibility of protecting our personal data. In this blog post, we’ll explore the importance of data protection on social media and what small businesses can do to keep their data safe.
The Link between Data Protection and Social Media
Social media platforms collect and store massive amounts of personal data from their users, including demographics, interests, location, and online behaviour. This data is often used for targeted advertising and other purposes. However, it also makes users vulnerable to identity theft, financial loss, and embarrassment if it falls into the wrong hands.
Social media companies are responsible for protecting this data from misuse, unauthorised access, and breaches. To enhance user security, they have implemented various data protection measures, such as strong passwords, two-factor authentication, encryption, and privacy settings. However, users also have the right and responsibility to be aware of the risks associated with sharing personal information online and take steps to protect themselves.
What Small Businesses Can Do
Small businesses are just as vulnerable to data breaches as individuals. Therefore, it’s essential to take data protection seriously. Here are some steps that small businesses can take to keep their data safe on social media:
Use strong passwords and two-factor authentication: Ensure that your social media accounts have strong passwords and enable two-factor authentication to add an extra layer of security.
Educate your employees: Train your employees on data protection best practices, such as avoiding oversharing, using strong passwords, and avoiding public Wi-Fi networks.
Monitor your accounts: Regularly monitor your social media accounts for unauthorised access or suspicious behaviour, and report any suspicious activity to the platform’s support team.
Be cautious when clicking on links or downloading attachments: Be careful when clicking on links or downloading attachments from unknown sources, as they may contain malicious software that can compromise your data.
Stay up to date on data protection laws and regulations: Keep abreast of data protection laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States, to ensure that your business is compliant.
Conclusion
Data protection is critical in the era of social media, and small businesses have a role to play in ensuring that their data is protected from misuse and abuse. Even with strong data protection measures, no system is foolproof, and breaches can still occur. Therefore, businesses need to remain vigilant and take steps to protect their data. By following the steps outlined in this post, businesses can minimise the risk of data breaches and keep their data safe.
We hope this post has helped raise awareness about the importance of data protection on social media. As a business owner, it’s up to you to take the necessary steps to protect your data. If you have any questions or concerns about data protection, please don’t hesitate to contact us. We’re here to help! To learn more, why not book a free discovery call to see how we can support you?
Are you a small business consultancy looking to gain GDPR compliance for your website? Look no further than our new £9 offer, designed to help you navigate the complex world of GDPR requirements and make your website GDPR-ready.
Section 1: Website walkthrough
At the heart of GDPR compliance is the need to protect user data. This includes collecting user consent for data collection and providing clear and concise privacy policies. In Lesson 1, “What to look for on a website to make GDPR compliant,” we break down the key elements contributing to your website’s compliance.
We’ll start by helping you understand what personal data is and what it isn’t. From there, we’ll explore the different data collection practices, including cookies, analytics, and user input forms. We’ll also cover the importance of privacy policies and how to ensure that they meet GDPR requirements.
Lesson 2: Website checklist
Now that you understand GDPR compliance, it’s time to put that knowledge into practice. In Lesson 2, “Website Checklist,” we provide a handy checklist that will serve as your trusty companion throughout the compliance journey.
Our step-by-step guide will help you identify gaps in your website’s GDPR readiness and ensure you have all the necessary measures. From updating your privacy policy to providing user consent for data collection, we’ll help you cover all the bases.
By the end of this short introductory course, you’ll be equipped with the knowledge and practical tools to make your website GDPR-ready confidently. Our “Let’s Make Your Website GDPR Ready” course is designed to be accessible and easy to follow, ensuring you don’t miss any critical steps.
Join us now and take the first steps towards compliance. Secure your website’s future and build trust with your users today!
In today’s digital world, social media has become an essential part of our daily lives, with millions of people using various platforms to connect with friends, family, and businesses. Social media platforms have revolutionised how people engage with each other and how businesses connect with their customers. However, concerns about data privacy have emerged with the growing use of personal data for advertising purposes. General Data Protection Regulation (GDPR) was introduced in 2018, significantly impacting how businesses use social media for marketing and advertising. This blog post discusses the impact of the regulations on business and social media.
Myths about GDPR and PECR
There are several myths that small businesses may have about social media, GDPR, and PECR. Here are five of them:
People are communicating on social media so that I can contact them.
GDPR and PECR only apply to large businesses, not small ones.
Obtaining explicit consent for data collection is too difficult and time-consuming.
Compliance with GDPR and PECR will harm my business’s marketing efforts.
GDPR and PECR are just another government bureaucracy that doesn’t benefit consumers.
In reality, these myths are not accurate. People may be on social media, but businesses must know regulations like GDPR and PECR to avoid hefty fines. These regulations apply to all businesses, regardless of size. Obtaining explicit consent may require a little effort to set it up, but ensuring compliance and building trust with customers is necessary. Compliance with GDPR and PECR can improve marketing efforts by building customer trust. Finally, GDPR and PECR protect individuals’ rights and information. It is their data. Just because they may give it to you or put something on social media does not mean you can use it.
GDPR and PECR
While most people have heard of GDPR and data protection, PECR is its lesser-known cousin. GDPR has been established to guarantee transparency in businesses’ use of personal data. Hence, businesses must have a legitimate reason for processing personal data, gather only essential data, and use the data fairly and transparently. Such regulations considerably impact firms that depend on social media for their marketing and advertising activities. Companies must obtain explicit consent from individuals to use their data for marketing objectives. For this, businesses must be upfront about the data they are collecting, its intended use, and with whom it will be shared. This also means you can not collect data for one purpose and automatically transfer it to another without permission.
PECR stands for the Privacy and Electronic Communications Regulations. These regulations work with GDPR to protect individuals’ privacy rights regarding electronic communications. Essentially, PECR regulates how businesses can use electronic communications to market their products or services. This means that businesses must obtain consent before sending marketing emails or text messages to individuals. Small businesses must understand PECR, as non-compliance can result in significant fines. By following PECR regulations, small businesses can build trust with their customers and ensure they operate ethically and responsibly.
The Impact on Social Media Advertising
Implementing GDPR and PECR has changed how businesses use social media advertising. Social media platforms like Facebook, Instagram, and X rely on personal data to personalise advertising to specific audiences. This means that businesses must be transparent about how they use personal data for advertising and allow individuals to consent to targeted advertising AND have the opportunity to opt out at any time. Consequently, businesses are shifting towards more generalised advertising on social media platforms as they face challenges in targeting specific audiences.
PECR and GDPR protect individuals’ privacy rights concerning electronic communications and ensure transparency in businesses’ use of personal data. By following these regulations, businesses can build trust with their customers and operate ethically and responsibly. These laws emphasise the significance of data privacy and make businesses responsible for using personal data. In the future, businesses are expected to continue using social media for marketing and advertising but must comply with GDPR and be open about handling personal data.
How to Implement Explicit Consent for GDPR and PECR
When implementing explicit consent for GDPR and PECR, businesses must provide individuals with a clear option to explicitly consent to targeted advertising. During data collection, this can be done through a pop-up message or a checkbox. Businesses must also ensure that their privacy policy is current and clearly explains how personal data is collected, used, and shared. By implementing explicit consent, businesses can build customer trust and ensure compliance with GDPR and PECR regulations.
The Future of Business and Social Media
The implementation of GDPR and PECR laws has emphasised the significance of data privacy and has made businesses responsible for using personal data. As a result, there has been a move towards more honest and ethical business practices. In the future, it is expected that businesses will still use social media for marketing and advertising. Still, they must follow GDPR and be open about handling personal data. This will establish trust with consumers and prevent businesses from facing substantial penalties for non-compliance.
Conclusion
To sum up, implementing GDPR and PECR has dramatically affected how businesses utilise social media for marketing and advertising. Businesses must adhere to GDPR and be upfront about how they handle personal data. This helps to establish trust with customers and prevents businesses from facing severe penalties for non-compliance. Businesses must prioritise data privacy and ethical practices as our society becomes more data-focused. By doing so, businesses can build a positive reputation and ensure a long-lasting relationship with their customers.
We believe in supporting businesses to understand data protection and embed it into regular practice. To learn more, check out here, or why not book a free discovery call to see how we can support you?
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
