GDPR demystified for sole traders and small businesses: Part 2

GDPR demystified for sole traders and small businesses: Part 2

Bake Your Cookies Well

 

One of the major aspects of GDPR compliance is the use and management of cookies. Visitors to your website must be notified of your use of cookies, why you use them and what they are for. Information on the term of duration of cookies is also strongly advised.

Furthermore you are required to have visitor’s explicit consent to deploy cookies to their devices, and provide clear options and mechanisms to edit and revoke cookie preferences.

Trickiest of all however, is the actual timing of the deployment of cookies and whether visitor preferences are actually honoured by your website and/or Apps. This will require technical input from IT personnel.

To comply with the principles of GDPR, NO cookie deployment should occur before getting explicit consent for any level of cookie use if possible, whether necessary, functional or more.

All About Cookies

Explicit Consent

 

Another major requirement is obtaining visitor explicit consent for collection of personal data. Simply providing an option to opt out is insufficient, an obvious and clear opt in is required to be explicit.

Opt in boxes and fields that are checked by default are definitely not compliant, as these are not explicit opt ins. Similarly, providing neither an opt in or an opt out is certainly in breach of the regulations.

In addition, visitors must be provided with appropriate mechanisms to view, collect, rectify and delete their data, and exercise their right to be forgotten at any time.

While consent is required in most cases for processing personal data, it is not required in cases where there is a lawful basis for data collection, storage and processing. Such information should be clearly noted within the privacy policy.

GDPR defines persons below the age of 16 years to be children and can not give their explicit consent for their personal data to be collected, stored or processed.

Finally, to ensure you are able to demonstrate compliance in obtaining explicit consent, it is strongly recommended to have in place a system to record and store identifiable consents indefinitely. This again will require input from IT personnel.

 

Enhanced Awareness and Training

 

Awareness training of key personnel and decision makers (or just yourself) regarding the principles, individuals’ rights and primary mechanisms of GDPR is essential, to identify potential impacts and to design compliant data management systems.

Similarly, as GDPR is likely to result in changes to your business and perhaps the way you do business, procedural training may be required also.

Resultant changes to business may impact operating costs, though are more likely to scale up with the size of the business or organisation.

Highly recommended is the implementation of employee and sub-contractor data confidentiality agreements to further protect personal data.

If you use third party services and sub-contractors then you need to communicate with them and reach agreements on handling data according to GDPR, which may affect their business processes also.

It is your responsibility under GDPR to know how the data you collect and share is being treated by third parties you employ.

Know Where Your Data Goes

 

Vital to informing of your potential risks and exposures under GDPR is to understand how and where data moves within your company or organisation. Assessing and documenting how information flows through your systems will help to comply with GDPR.

Essential to this process is creating a Data Flow Map that illustrates how and from where data is collected, how it moves through the organisation, how and where it is processed, and what third parties may be involved.

This will make potential GDPR compliance issues clearer and also highlight actual and potential data security risk areas and processes.

Furthermore it may be pertinent to instigate GDPR related conditions and clauses in contracts with third party data processors, sub-contractors and suppliers to ensure “downstream” protection of your customers’ personal data.

Contact Us for help mapping your data flows.

Demonstrate Your Integrity

 

Explain clearly how you guarantee to protect your visitors and customers private data in your Privacy Policy. Required by GDPR is the communication of this information in easy to understand language, clear and concise.

Specifically you must explain the legal basis for data processing, how long you retain the data, that users have the right to complain if dissatisfied with your data processes, if their data is subject to automated decision making, how their data is being shared, and their various rights under GDPR.

In addition you should explain and provide mechanisms for registering complaints with your organisation and preferably regulators also.

Remember that transparency is the key ethos here, and if you are complying with the principles and regulations of GDPR you have nothing to hide and should be very open about your data management.

 

Privacy Will Generate More Business In Time

 

In fact, you should make a point of your commitment to privacy and sing it from the roof tops so that customers current and future will know you value their data security very highly.

Key movers and shakers like Google regularly comment that in the coming years online brand will be a massive determining factor in search rankings and indexing.

Why? Because there is such a proliferation of websites, blogs and Apps with massive amounts of content being generated every day that it is increasingly difficult to determine what is good, valuable content and what is not.

More and more the big players like Google look to factors that indicate the strength of your brand as a marker of your products, services and content being worthy of attention.

In the future, data privacy is going to be a major aspect of how consumers view your business. Clearly, if you have a reputation for less than secure data privacy and management, you’re going to lose customers fast!

Remember, those who complain the most loudly about data privacy compliance are usually the ones who have the most to hide about what they do with personal data!

I know I want my data kept private and secure and it’s the primary commitment I make to my customers.

 

Privacy As An Ethos

 

Compliance with GDPR is best achieved if you make data privacy a key ethos in your organisation. In fact you owe it to your business to do so, because the security of your data processes is directly proportional to the overall security of your business.

Data security is a hugely important aspect of the online marketplace and continually increasing in importance. If you fail to comply with GDPR you have a business model that most likely has potentially critical data breach risk areas.

Hacking of digital assets and identifiable personal data breaches can be massively costly to any business, with potential to cripple a business depending on the severity of the breach.

GDPR recommends “data protection by design and by default” and I recommend it as a key step in addressing all potential security risks, even if not involving personal data. If you haven’t taken personal data security seriously, then for sure you are not taking your overall digital security seriously enough either.

Protect yourself from liability and secure your business by designing privacy safeguards and measures into your data processes from the very beginning. This is called data protection by design.

Collect only the minimum amount of data necessary to perform service and functionality to your customers and visitors, with a short storage period and with limited and secure accessibility.

So that by default, personal data isn’t accessible to unauthorised data processors or any other third parties, without explicit consent of the individual. This is data protection by default.

It’s Not Just Online Data

 

A common misconception is that GDPR applies only to personal data collected from websites. It applies to all forms of personally identifiable data collected from social media, email, correspondence, accounts, online and offline forms and applications.

Therefore, no matter what means of collection were used, all personal data of EU subjects is protected by GDPR, as the core principle is protection of data in any format.

As a result this has potentially far reaching implications for any business as there are technical and legal considerations in the fields of human resources, marketing, general IT and security.

 

An Appointed Controller

 

First of all GDPR stipulates the appointment of a Data Protection Officer (DPO) in specific circumstances, typically related to large volumes and specific types of more sensitive data. In such cases it may be required of either a Data Controller or Processor to appoint a DPO.

For the reason that your data collection, storage and processing parameters are not likely to fall into these categories, you would not likely be required to appoint a DPO.

However, as it is a requirement to provide mechanisms for users to register complaints and make other requests pertaining to their data, it is a wise step to appoint an officer responsible for conducting procedures as required by GDPR.

Therefore it is a good idea to have a responsible and suitably trained person to act as Data Controller, if you are a solopreneur then yourself is the obvious choice here!

Finally the Data Controller should be named in the Privacy Policy and the means to contact them, such as email and phone number.

The controller must be easily contactable in the event of registering a complaint, making data protection enquiries and communication in the event of a data breach incident.

Noteworthy however, typically IT and marketing personnel are not the most appropriate choice as Data Controller or indeed a DPO. It is reasonable to assume that the nature of their work would pose a potential conflict of interest regarding personal data.

 

Providing For Individuals Rights

 

There are a number of rights of the individual provided for under GDPR, the full list we explained in Part 1 of these articles.

Rights are covered by various mechanisms required by GDPR, some of which are addressed by the Privacy Policy, Cookie notification and editing function.

Others such as right of access, right to rectification, right to erasure and the right to data portability need to have a user friendly mechanism for the user to execute these rights.

Mechanisms must provide for communication with the data controller, functionality for the user to edit and download and export data.

Furthermore it should record all user requests and subsequent proof of processing of data requests, to provide evidence of meeting duty of care in personal data matters.

This will require alterations to websites, requiring IT personnel input, and other data streams including email, marketing (especially email marketing), social media and purchasing processes.

 

The Dreaded Data Breach Incident

 

Firstly let me explain that a data breach incident is any event whereby personal data has, or is suspected of being accessed by unauthorised parties.

If no personally identifiable information (PII) has been breached then the reporting requirements to both regulators and individuals are more relaxed, however irrefutable evidence that no PII has been breached will need to be provided in this case.

Therefore it is essential to develop Data Breach Policies and Procedures that cover monitoring for internal and external breaches, and detail appropriate responses including reporting to regulators and individuals.

Furthermore, all available digital security methods and mechanisms should be implemented to ensure data security, these measures then audited frequently to ensure continued security against evolving threats.

Finally, Article 33 of EU GDPR defines the data breach notification to the supervisory authority procedure as;

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

And notification of a data breach to an individual, or data subject as;

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Advisable is to make this notification as quickly as possible and certainly not more than 48 hours after detecting a possible breach. Time is required to determine the nature, content and severity of a breach. (Note: this is not legal advice!)

Data Sharing Outside of EU

 

In principle you can not transfer personal data outside of the European Union to a third party or country.

However, it is permissible if consent is obtained and the process is assessed and approved by the supervisory authority.

Essentially you could say that providing the sharing and processing of the data was clearly explained, the legal basis for it clearly defined, and all individuals rights provided for, then sharing and exporting of data may be permissible.

The supervisory authority would need to approve standards, measures, procedures, clauses and other mechanisms put in place by a third party country, company or organisation that would ensure all such data transfer and processing met the provisions of the GDPR. Legal advice should be sought in this case.

Making Sure It All Works

 

GDPR compliance and data protection in general is not a one time fix, it is a moving goal post, most certainly because cyber security threats are evolving daily.

It certainly is a relief to arrive at a point of compliance no matter the scale, but the process does not end there.

As your business or organisation evolves new aspects and processes will arise. All of these must also comply with GDPR, so new aspects and processes must incorporate data security by design.

It may be necessary to conduct Privacy Impact Assessments (PIA) for new technology or where processes have potentially significant data protection implications.

Existing processes and procedures should be regularly audited for efficacy and against new cyber threats.

Furthermore, legislation is never static so your processes, policies and procedures need to be re-evaluated against changes in regulations as they evolve.

If you want to get GDPR Compliant fast and simple, contact us, we service SME’s and solopreneurs in the fields of Ecotourism, Wellness Retreats, Nature Conservation and Wellness Professionals.

 

Why smart leaders of change embrace technology for future success

Why smart leaders of change embrace technology for future success

Word Count: 1,072    Reading Time: 5.5 minutes

 

Successful leaders empower people and conservation through the smart use of technology

 

You need to use technology appropriate to your niche and size to be heard and be a successful leader of positive change, whatever your message.

Skilful choices and ways of living, symbiotic with nature and humans, are often drowned out by online noise.

Entertainment, news, frivolity, sensationalism and distraction win the most traffic and revenue.

Therefore, to connect to a wider audience and increase engagement, leaders of change must use technology in smart ways for future success.

 

A Startup 30 years in the making, supports leaders of change

 

We at Eco Freelance Support launched April 2019 to service genres like ecotourism, wellness, conservation, nature based education and evolving human consciousness.

Boosting their success and cementing their position, so as to make more positive change possible. Employing the best tactics and tools of big business to get good causes off the runway.

Founded on decades of experience in the fields we service, we provide IT, business and project management services to these genres.

Word Count: 1,072    Reading Time: 5.5 minutes


 

 

Empowering people and conservation through the smart use of technology

 

You need to use technology appropriate to your niche and size to be heard and be a successful leader of positive change, whatever your message.

Skilful choices and ways of living, symbiotic with nature and humans, are often drowned out by online noise.

Entertainment, news, frivolity, sensationalism and distraction win the most traffic and revenue.

Therefore, to connect to a wider audience and increase engagement, leaders of change must use technology in smart ways for future success.

 

A Startup 30 years in the making, supports leaders of change

 

We at Eco Freelance Support launched April 2019 to service genres like ecotourism, wellness, conservation, nature based education and evolving human consciousness.

Boosting their success and cementing their position, so as to make more positive change possible. Employing the best tactics and tools of big business to get good causes off the runway.

Founded on decades of experience in the fields we service, we provide IT, business and project management services to these genres.

Why did we startup?

 

Firstly, we found many of the folks in these genres struggled to succeed, despite working for the common good and being good at what they do.

Secondly, they often lacked the tools, technical skills and business experience to keep up with rapidly evolving technology and changes in business.

Thirdly, engaging the services that create a bigger audience is often too expensive, or overly complicated and time consuming for them to do it well.

Finally, they were losing too much time to these aspects because their expertise lies in different fields. Thus reducing their effectiveness and diluting their message.

 

Click to unlock the Complete Branding Checklist here.

So we started with a simple goal…

 

Provide an affordable service for those people to get off the runway and flying quickly.

Combining the best technology for their needs with sound business structure and workflows to boost their online and business performance.

Scalable to where they’re at, no matter their size, experience or vision.

Working with them to chart and support their success.

Making them more effective over the long term.

 

Click to unlock the Complete Branding Checklist here.

Real leaders of change

 

You don’t have to change the whole world, just yourself. You know the outer reflects the inner. Therefore, we need only change the inner landscape to change the outer world.

People who understand this are the real leaders of change. But they are not leaders of change because they actively try to change others.

Positive change leaders are such by way of example. They share with others ways of living that are more skilful.

More skilful is to be in balance with nature, with interpersonal relationships and the work-life balance.

Disconnection from nature and each other spreads separatism, dis-ease and stress.

 

Disconnection from each other

 

Despite being more connected than ever in the digital sense, the rise of depression, discontent and malaise demonstrate that our lives are not better for it.

Moreover our interpersonal relationships are more transactional than ever, often more about social proofs than anything else.

Specifically we mean common modern day proofs such as social media likes, shares and comments

 

 

Work-Life Balance

 

Are we using technology to make our lives better yet? Better meaning more skilful, as opposed to more convenient.

Being more connected online can mean less time connected in an organic interpersonal way.

Strangely, being online (or connected) means disconnecting from real people and nature in the here and now.

 

A laptop in the woods, smart leaders of change leverage technology for their success.

It’s a paradox

 

In modern society you must use technology to forward or promote any message.

If you are sharing more skilful ways to live, relate, build community, most likely you used technology to get the word out. I mean, what choice have you got?

Unless of course you are working at absolute grass roots level only, within your local community.

Leveraging technology correctly, drives more traffic to the source of your content, and it’s quality content that stands the test of time.

If it is not properly optimised for search engines, well you might as well go home! Non-optimised content goes nowhere, unless you get lucky and manage to go viral on something. That is statistically rare.

Consider the numbers

Seotribunal.com report these revealing statistics:

Google’s 90.46% share of the global search market equates to 63,000 searches per second.

That equates to 3.8 million searches per minute, 228 million searches per hour, and 5.6 billion searches per day.

For people to find you it is essential to rank well in search query results. Nailing your Search Engine Optimisation (SEO) is the only way to achieve this beyond the short term.

NeilPatel explains The 10 Most Important SEO Tips You Need to Know. Neil is a world renowned luminary on the subject.

 

A laptop in the woods, smart leaders of change leverage technology for their success.

How to swim in a big pond full of hungry fish

 

Those statistics above attest the online world is staggeringly massive and growing rapidly. It’s very easy to drown in all the noise, such as entertainment, news, frivolity, sensationalism and distraction.

Many important messages about positive change don’t get heard, or heard enough.

Typically it takes resources to compete with all the noisy online traffic.

A poor indictment of consumerist society, that entertainment, sensationalism and distraction get most of the traffic and make most of the money.

Consumerist bohemiths have the resources to drown out or out compete more skilful messages and choices in the market place and the social feed.

Therefore, a good degree of understanding and skill in using the technology to promote more skilful choices is required in the modern landscape.

The web has become very complex with massive user volumes.

It is now a very big pond with huge numbers of hungry fish in it, thus you need the most appropriate tools and familiarity with those tools to swim successfully in the big pond.

Or know somebody who does, like us.

 

Be a smart fish

 

In conclusion, the right tools used the right way are essential for you to continue to communicate your message and bring about positive change.

Furthermore, engaging pro support specifically geared to boosting leaders of positive change, no matter what scale or the stage of their mission they’re at.

Maintaining your work-life balance, interpersonal relationships and symbiotic relationship with nature.

Lest you start to drown in the online world, your example and message is lost and you fail to realise your vision.

The web is a tool, let’s keep it as such, and get back to reality…nature!

 

Resources

Robbie Richards.com: SEO Copywriting: 15 Killer Techniques (With Examples and A/B Test Results!) 

Why your online brand is essential for success

Why your online brand is essential for success

Word Count: 1,177    Reading Time: 6 minutes

 

You need real people to engage with your material and share it around, you need real customers to buy your services and products.

In this day and age, if you don’t have a presence online, no-one is going to be knocking on your door.

Unless your service is totally unique that is, I mean actually a one of a kind, and lots of people want it!

 

You need to think about online branding and why it is essential for success

 

What is a brand and how does it apply to your situation? We’re going to explain that here and hopefully make it easier to understand.

As Kotler, Bowen and Makens define in ‘Marketing for Hospitality & Tourism‘;

A brand is a name, term, sign, symbol, design, or a combination of these elements that is intended to identify the goods or services of a seller and differentiate them from competitors.

Branding is the process of endowing products and services with the power of a brand. It’s all about creating differences between products. This process must be carefully developed and managed.’

 

Before you are ready to start promoting yourself you really should put a lot of effort into creating this discernible and unique identity, using it to create as recognisable an online presence as possible.

What’s more, it’s a very good idea to create a brand that people can relate to, especially the audience you want to attract.

As Briana Ford points out over at SocialMediaToday,

You’re being Googled: Maybe not just Google, but if someone is hearing your name, it’s (sometimes simultaneously) being typed into a search engine. No website? No profile on social networks? More than likely, no customer for you.

 

At this point if you’re one of our clients, a therapist, retreat venue, ecotourism destination or an environmental cause, you may be recoiling in disgust.

This sort of thing is probably the antithesis of what you’re about. That’s understandable, it’s the same for us.

But we’re putting this info before you because we all must understand, that while the bulk of humanity is to be found online, getting their information there, connecting with people there and making their purchases there, there is where we need to be.

So, if we’re going to try to connect with people, show them more skilful ways to live, other ways to heal themselves and other ways to make them aware of nature and conservation, it’s in all our best interests to do it well, so we can minimise the energy we spend on it.

Word Count: 1,177    Reading Time: 6 minutes 


 

 

You need real people to engage with your material and share it around, you need real customers to buy your services and products.

In this day and age, if you don’t have a presence online, no-one is going to be knocking on your door.

Unless your service is totally unique that is, I mean actually a one of a kind, and lots of people want it!

 

You need to think about online branding and why it is essential for success

 

What is a brand and how does it apply to your situation? We’re going to explain that here and hopefully make it easier to understand.

As Kotler, Bowen and Makens define in ‘Marketing for Hospitality & Tourism‘;

A brand is a name, term, sign, symbol, design, or a combination of these elements that is intended to identify the goods or services of a seller and differentiate them from competitors.

Branding is the process of endowing products and services with the power of a brand. It’s all about creating differences between products. This process must be carefully developed and managed.’

 

Before you are ready to start promoting yourself you really should put a lot of effort into creating this discernible and unique identity, using it to create as recognisable an online presence as possible.

What’s more, it’s a very good idea to create a brand that people can relate to, especially the audience you want to attract.

As Briana Ford points out over at SocialMediaToday,

You’re being Googled: Maybe not just Google, but if someone is hearing your name, it’s (sometimes simultaneously) being typed into a search engine. No website? No profile on social networks? More than likely, no customer for you.

 

At this point if you’re one of our clients, a therapist, retreat venue, ecotourism destination or an environmental cause, you may be recoiling in disgust.

This sort of thing is probably the antithesis of what you’re about. That’s understandable, it’s the same for us.

But we’re putting this info before you because we all must understand, that while the bulk of humanity is to be found online, getting their information there, connecting with people there and making their purchases there, there is where we need to be.

So, if we’re going to try to connect with people, show them more skilful ways to live, other ways to heal themselves and other ways to make them aware of nature and conservation, it’s in all our best interests to do it well, so we can minimise the energy we spend on it.

How a strong brand leads to successful customer relationships

 

There are many aspects to a successful online brand strategy, we’re not going to cover them all here, it’s beyond the scope of this article.

Some key aspects are logos, fonts and colours, websites and social media profiles.

Furthermore, the types of content, styles of communication and emotive influence play a huge role. There is way more to it, so it is s good idea to read that check list!

 

Click to unlock the Complete Branding Checklist here.

Generates Trust

 

If you present yourself and your business in a professional manner, and there are social platform proofs speaking highly of your services or products, people are more comfortable engaging with and paying you.

 

Enhances Recognition

 

Of course you are more than your logo and certainly a logo is only one aspect of any branding strategy. That said, you should still invest time and energy into a professionally designed logo.

It should be memorable and create a desirable impression of your business. It should invoke the emotional response you want people to feel.

 

Foundation of Your Marketing

 

We all must engage in marketing to some degree, whether that be all-out advertising or simply publishing relevant content in appropriate places.

Developing a clear picture of your service/product and quality/reputation underpins any marketing efforts, it’s the first step. Using appropriate channels of marketing for your goals is important.

Too narrow or too broad an approach can dilute the impression of your marketing in potential client’s minds.

 

Motivates Colleagues and Collaborators

 

When you have an unwavering vision and a mission statement that conveys that clearly, people want to work with you. Your branding efforts should serve to communicate clearly.

People are emotional beings and are inspired to contribute to and support something when they understand it clearly and can identify strongly with the mission.

If you want to attract self motivated, empathetic collaborators you need to demonstrate you are worth investing their time in you.

 

Creates New Revenue

 

The ideal ratio of new to existing clients/customers depends on the sector you are in. There is no rule of thumb that fits all, but it should be clear that any business venture is not likely to succeed in the long run without generating new clients over time.

You can not rest on your laurels with no clear brand identity or marketing strategy and expect to attract new business.

As we say to our customers, “in this day and age, word of mouth simply isn’t enough to sustain you in the long term.”

Unless of course you are that absolute one of a kind service or product, and everybody wants it.

 

Some Strong Branding Advice

Online branding essential social media metrics dashboard.

Search Engine Optimisation (SEO)

 

Simply put, all your efforts to generate engagement and business will be wasted if you do not embrace SEO.

Direct marketing channels are great but are short term options, their influence diminishes rapidly once the campaign is finished.

Creating relevant and valuable content is a valuable investment in potential future business and clients. BUT, all your cool content will find little of an audience online without being optimised for search engines and indexing.

You’ll simply be treading water and will find it difficult to go with the flow.

 

Online branding essential social media metrics dashboard.

Always Have Your Customer in Mind

 

To be successful you must align your image and services with your existing and potential customer’s needs and desires. Therefore any branding and marketing strategies should always have your customer in mind.

 

 

Clear Message Illustrating Your Value

 

Human attention spans are very, very short these days. Most people have too little time or interest to decipher complex or unclear messages.

To generate real interest you must communicate clearly WHY your brand matters more than any other to your customers. This is best served by creating a story that demonstrates “why you?”

But you need to achieve this very quickly or people lose interest and move on.

 

 

Evoke Emotional Responses

 

It’s no secret these days that most people engage services and buy products based on emotion rather than logical reasoning. If you look at all the most successful brands you will note the enormous emphasis placed on creating emotional responses.

In many cases this is manipulative and pervasive. BUT, to ignore the role of emotional response in any brand and marketing efforts is misguided and virtually guarantees no beneficial result.

The same methodology can be used to convey your message if your emphasis is ethics, empathy, equality and transparency.

All we mean is to take a leaf out of the marketeers book and remember the role of emotion in all human decision making processes. It can not be denied.

 

How to achieve your goals and dreams

How to achieve your goals and dreams

Word Count: 1,946    Reading Time: 11 minutes

 

Do you know what you really want from life?

Do you know where you want to go, who you want to be?

Is your idea a ‘life project’, a business project or a creative expression?

Will that project, business or creative outlet get you to your vision?

 

Visioning and Goal Setting

 

Answering the above questions are vital before you start any project or make any significant life choice. For the sake of this discussion let’s group them all together under the term ‘project’.

As such this can also be a way to approach a project management task, except your bosses might not be too keen on the intuition part of this post (below)!

Visioning and goal setting are extremely important first steps in assessing, planning and developing a project.

First, imagine the project complete, up and running successfully as it were, identifying all the realistically achievable parts of it.

Then define steps or goals that can bring you closer to your vision, helping you to see where you are at, relative to your vision, and what steps to take next.

Everyone involved in your project should contribute to these two steps, the more inputs you have, the clearer your picture will be!

Word Count: 1,946    Reading Time: 11 minutes 

 

Do you know what you really want from life?

Do you know where you want to go, who you want to be?

Is your idea a ‘life project’, a business project or a creative expression?

Will that project, business or creative outlet get you to your vision?

 

Visioning and Goal Setting

 

Answering the above questions are vital before you start any project or make any significant life choice. For the sake of this discussion let’s group them all together under the term ‘project’.

As such this can also be a way to approach a project management task, except your bosses might not be too keen on the intuition part of this post (below)!

Visioning and goal setting are extremely important first steps in assessing, planning and developing a project.

First, imagine the project complete, up and running successfully as it were, identifying all the realistically achievable parts of it.

Then define steps or goals that can bring you closer to your vision, helping you to see where you are at, relative to your vision, and what steps to take next.

Everyone involved in your project should contribute to these two steps, the more inputs you have, the clearer your picture will be!

Step One: Visioning

 

Here you develop a vision of how you would like to see your project (a business for example) in a few years time. Choose a time frame of five or ten or twenty years in the future, trying to be realistic.

Do not spend too much time thinking about how you are going to get to the goal right now, but form a positive picture, making sure to keep it realistic.

Combine the most desired and valued outcomes of all the stakeholders involved with the project, creating a vision that addresses everyone’s needs.

This exercise can be done in writing as well as ‘mind maps’ or similar diagrams to help visualise the successful project and all its component parts. Feel free to draw and sketch your vision to make it lively and ‘real’.

The diagram can then form the basis of a written plan or project flow chart, each step now more easy to identify, and then the next, and so on, creating what becomes a coherent project plan.

Step Two: Goal Setting

 

In this step you identify concrete objectives of your project with the view of creating realistic waypoints to navigate towards.

These can also be used to help assess your project’s progression, and more easily recognise needs for adjustments and adaptations along the way.

Maybe even major changes in course, as visions and goals have a way of changing over time as you change and your project evolves, or does not.

Tip: Describe at least two goals in each of the major sections within your overall plan. Take for example an ecotourism development, it is helpful to have a balanced weighting between goals of the economic, social/cultural and environmental aspects of your project.

These should be detailed, making sure they are realistic, relevant and that can be measured. Then add these goals to your Visioning diagram and respond by adjusting your overall project plan if necessary.

Step Three: Strategies

 

Next you establish strategies to achieve each of the goals you have identified.

These are best devised by breaking down each goal into all its component parts and evaluating each of these in logical order, step by step.

Once you have mapped each step, group the steps together in logical flows and voilà, now you have a very detailed strategy.

Now For The Hard Part – Action!

 

At first, perceiving a vision and then devising a plan to achieve it can seem daunting, but once you get into the swing of it, you’ll find it becomes a creative process that can be highly stimulating and rewarding.

Sure it takes a lot of work to come up with a clear and concise plan, but in relation to the road that lies ahead, it’s a relatively short exercise and doesn’t require so much energy.

Seeing the plan through to the end and achieving your goals is by far the bigger challenge.

It requires you to work towards your goals every day, day in, day out, week after week, year in, year out.

It requires diligence, stamina, self belief and discipline. These are the biggest challenges in any journey towards a long term goal.

Especially when things are not going so well or according to your well thought out plan!

Holding the clear and unwavering picture of each waypoint you have mapped out, and the end goal in sight, as you work your way along slowly to your end goals is a challenge, a far bigger challenge than setting out on the road in the first place!

You are going to be tested often by difficult circumstances, perceived failures and unforeseen bumps in the road.

You may even come to sense that what seemed like the reason for commencing the journey towards your goal ends up being secondary, that the experience of the journey itself, and how it changes you and your perceptions, becomes primary.

Making Difficult Decisions

 

We are very selective in what information we filter out from our consciousness stream, making our awareness highly subjective.

Furthermore, most people are only able to hold a relatively small number of data points in the conscious mind at any given time.

There is far too much data streaming through your total awareness for you to be aware of it all, through all of your senses and senses most people are unaware of as yet.

In this way it is pretty much impossible for us to ever accumulate sufficient data to satisfy the rational mind that we are making the ‘correct’ decision in any given situation.

The rational mind seeks security, needs to know it is okay and that everything will be okay in the future.

It seeks safety and isn’t normally comfortable with risk, especially if it perceives risk as being threatening to its comfort and physical well-being.

So when trying to make big decisions, because we can never accumulate enough data to satisfy the rational mind that everything is going to be okay, no matter how things turn out, we have a tendency to overthink the situation, or procrastinate.

Procrastination Sucks Your Energy Dry

 

Overthinking and trying to rationalise everything out will drain and deplete your energy. It is the rational mind’s way of avoiding decisions it finds scary and potentially threatening.

You could say that this procrastination is actually self sabotage, that is, it is getting in the way of your progression towards your goals. Don’t get me wrong, considering all the angles and thinking things through is of course important and responsible.

But when you consider that there are far too many data points and streams, or to put it another way, there are just too many angles for you to be able to see them all, well you have to accept there comes a point where you have to rely on something else…your gut.

Don’t Underestimate Your Intuition

 

In the end your feelings play a huge role in all decisions, much more than many people realise or admit. The gut feeling, that inner knowing that something is right, or isn’t, or which fork in the road feels right, and which doesn’t. We’ve all been there.

If you’ve put yourself in enough situations where you’ve tested that gut feeling out, tested that inner voice or feeling, you know it plays a huge role. You begin to trust it.

When you’ve been through enough situations where you put your trust in that inner radar and things worked out okay, you know it’s far more reliable than the procrastinations of the rational mind.

You also know that how things appear on the surface are rarely how they are once you get through a situation and have the perspective of hindsight, can look back and see what ACTUALLY happened.

You know how the facts APPEARED to be, you know what choices you made and what the outcomes were.

Do this enough times and you will know that your intuition is your strongest ally, and a fearless guide.

Sure Make Plans, But Don’t Be Too Attached To Them

 

You’re planning a project, a business venture, a startup, you’re changing your life direction.

You’ve got a plan, or maybe even several. That’s cool, as we said, it helps big time to have a clear picture of where you want to go and how you’re going to get there. It stimulates action.

A BIG word of advice though!

Have you heard the saying “The best laid plans of mice and men”?

“Often go awry!” is the end of that saying, adapted from a line in “To a Mouse,” by Robert Burns.

Essentially it means, that no matter how much you plan and scheme, you can NEVER know everything life has in store for you. There can be pitfalls, there can be failures and there can be catastrophes.

Guess what? There can be amazing windfalls, incredible turns in events that far exceed your plans and expectations too!

So try not to get too attached to all those plans you made, in all likelihood you are going to have to change them at some point. Adapt them, rearrange them, turn them upside down, expand them or drop them altogether.

Don’t be too rigid or too attached to your plans as rigidity and stubbornness may prevent you from realising your dreams, or recognising when your priorities have changed or when something even better has come along.

Allow For Contingencies

 

As we said you can not possibly know everything that is going to happen, you can not see around all the corners, no way. Sure, life would be really boring if you could now, wouldn’t it!

So, if you are starting a new project, something significant, making a major life choice, and you’ve got a plan devised, one word of advice is to allow for contingencies, lots of them!

For all the reasons we were just discussing above, you can’t see everything that may happen. If it’s a major project or decision, there’s going to be many potential waypoints, decisions and choices to be made.

So, when working out time frames, projecting costs, forecasting energies required to make it all happen, add extra on top for contingencies, those things you are currently UNAWARE of.

Those unforeseen things that you couldn’t predict.

But how do you allow for things that are unforeseen, you may ask?

Good point!

If you can not allow for everything, if you don’t know what they are, how can you cost them, how can you time frame them?

More good points!

You can’t, BUT you can make some guesses and you CAN decide on how much you are prepared to allow for contingencies.

As an absolute minimum, we always factor in 15% on top of whatever it is we’re planning.

That’s 15% more time, more cost, more energy required. Depending on the project, the location, the complexity, even as much as 50% contingency.

If your project doesn’t stack up financially or energetically with that contingency added on top, our advice is seriously reconsider the risks! But that’s all still being rational now isn’t it..

SO, don’t forget your intuition, even when considering your contingencies!

IF it’s telling you add 50% contingency, our advice would be go with that.

IF it’s telling you it’s too risky, no matter what the rational data looks like, then go with that.

IF it’s telling you to hell with all the risks, well……

We think you know our answer!

 

Remember this acronym:

False Evidence Appearing Real

Resources

Our experience

GDPR demystified for sole traders and small businesses: Part 1

GDPR demystified for sole traders and small businesses: Part 1

Word Count: 2,456    Reading Time: 12 minutes

What is GDPR and does it apply to you?

The General Data Protection Regulation came into effect on May 25th 2018 and supersedes the Data Protection Directive 95/46/EC and the UK Data Protection Act 1998. It applies to all persons and businesses that collect and process personal data within the European Union (EU) and the European Economic Area (EEA).

Furthermore, it applies to data collectors and processors located outside the EU and EEA who do, or may handle personal data of EU citizens and data controllers. Therefore you could say that GDPR applies worldwide in the case of internet services and international trade.

The primary objectives of GDPR are to give control back to individuals of their personal data and to establish unified regulations within the EU for international trade, which in turn may lead to greater transparency in relation to personal data worldwide.

It is important to realise that GDPR does not only apply to data collected from websites, but also social media, email and other business processes such as paperwork, correspondence and accounts. It applies to all forms of personal data irrespective of what means of collection were used. While GDPR is obviously highly relevant to online data collection, its core principle is the protection of personal data in any format.

Many have expressed discontent with the regulations regarding them as an unnecessary layer of bureaucratic control over individual rights and trade. I understand this view but prefer the perspective that if all data collectors and processors worldwide adopted the key principles of GDPR, we would all benefit. This would lead more in the direction of a greater degree of data privacy we have not been afforded to date.

Word Count: 2,456    Reading Time: 12 minutes


 

What is GDPR and does it apply to you?

The General Data Protection Regulation came into effect on May 25th 2018 and supersedes the Data Protection Directive 95/46/EC and the UK Data Protection Act 1998. It applies to all persons and businesses that collect and process personal data within the European Union (EU) and the European Economic Area (EEA).

Furthermore, it applies to data collectors and processors located outside the EU and EEA who do, or may handle personal data of EU citizens and data controllers. Therefore you could say that GDPR applies worldwide in the case of internet services and international trade.

The primary objectives of GDPR are to give control back to individuals of their personal data and to establish unified regulations within the EU for international trade, which in turn may lead to greater transparency in relation to personal data worldwide.

It is important to realise that GDPR does not only apply to data collected from websites, but also social media, email and other business processes such as paperwork, correspondence and accounts. It applies to all forms of personal data irrespective of what means of collection were used. While GDPR is obviously highly relevant to online data collection, its core principle is the protection of personal data in any format.

Many have expressed discontent with the regulations regarding them as an unnecessary layer of bureaucratic control over individual rights and trade. I understand this view but prefer the perspective that if all data collectors and processors worldwide adopted the key principles of GDPR, we would all benefit. This would lead more in the direction of a greater degree of data privacy we have not been afforded to date.

What are the key principles of GDPR?

The most important principle is that individuals have complete control over their personal data and that their data is collected only with their explicit consent, rather than implied consent or without any consent. In addition, when collecting personal data it is essential to inform the individual who is collecting the data and for what purpose it is being used.

Simply put, you need an individual’s explicit consent to take any of their personal data and you must declare clearly who it is taking their data and for what purpose. This is at any point or step where you are requesting data, depending on your data processes and flow, you may need to gain explicit consent from the same individual more than once.

Explicit consent requires what the GDPR describes as a clear opt-in, not just an opt-out (especially as a default setting) or implied consent. If you are using pre-checked tick boxes or relying on someone pressing a send button without clearly explaining that data is being collected, for what purpose and by whom, then this is implied consent.

An opt-in is not the same as an opt-out, and is defined by GDPR as a mechanism provided for the individual to directly consent at each point of personal data collection, that is not pre-filled by default, and records their explicit opt-in consent for the data collection. Should it be requested by an individual or regulator, you must be able to demonstrate clearly the recording of the individual’s explicit consent to proceed with the data collection, at the time of collection.

Minimising personal data collection, storage and processing is another strong principle in GDPR. It requires us to evaluate how much personal data we do collect, what data is really necessary and how long data is required to provide our services and functionality to the individual. It is most important to know who we are sharing personal data with and if this is really necessary to provide services.

The aim should be to collect as little personal data as possible, only that which is essential to provide services, and collect no data at all, if possible. If you only need a first name or an email address to provide services, then take only that.

Article 25 of GDPR pertains to “data protection by design and by default”. Under GDPR organisations and businesses are strongly encouraged to design into their processes data privacy measures and safeguards from the very beginning. This is data protection by design.

Personal data should be processed with the highest level of privacy protection measures, by default. This means that only the minimum amount of data necessary should be collected and processed, with a short storage period and with limited accessibility. So that by default, personal data isn’t accessible to unauthorised data processors or any other third parties, without explicit consent of the individual. This is data protection by default.

What is Personal Data exactly?

As GDPR is all about protecting personal data, its important to understand what it is and that it includes data collected by automated and non-automated means. Unfortunately there is no definitive list of what is defined as personal data and what is not.

In reality, what constitutes personal data is subject to interpretation of the GDPR definition and how it applies in the context of the data collection, storage and processing.

Article 4(1) of GDPR defines “personal data” with clarification as follows:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Adding complexity to defining what is personal data, it is important to understand that each byte of data may or may not be an identifier in itself, but may become so when combined with other bytes of data relevant to the individual. Context and setting may affect the definition of any/and/or all bytes of personal data, not least when data is involved in behavioural analysis, profiling and data breach incidents.

The clever folks over at BoxCryptor (a Cloud services company) put together a good list of identifiers from everyday life to demonstrate the potential complexity and accuracy that can be achieved in identifying an individual. Please note that this list is not exhaustive and does not include digital identifiers such as IP addresses and cookie identifiers;

  • Biographical information including date of birth, marital status, social security numbers, criminal record, phone numbers, email addresses, residential address and bank information.
  • Looks, appearance and behaviour, including hair and eye colour, height, weight and defining characteristics.
  • Workplace data and information about education, including salary, tax information and student numbers.
  • Private and subjective data, including photos, religion and political opinions.
  • Health, sickness and genetics, including medical history, genetic data and information about sick leave and fitness data.

What are the Rights of Individuals under GDPR?

Under GDPR individuals are granted certain rights that may greatly affect your business and online processes, as listed below with brief explanations;

  • The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. Inform individuals of your purposes for processing their personal data, retention periods for that data, and who you share the data with. This is ‘privacy information’ and is the key transparency requirement of the GDPR.
  • The right of access: Individuals have the right to access their personal data and must be able to do so verbally or in writing, on or off-line. Requests to access personal data must be actioned within one month maximum, it is however advisable to action in the shortest time possible.
  • The right to rectification: The individual’s right to have inaccurate or incomplete personal data corrected and made complete. This right is linked to the data controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)). An individual must be able to request rectification verbally or in writing, on or off-line and must be actioned within one month maximum.
  • The right to erasure: The individual’s right to have personal data erased, commonly known as the right to be forgotten. An individual must be able to request erasure verbally or in writing, on or off-line and must be actioned within one month maximum. This right applies in certain circumstances only and is therefore not absolute.
  • The right to restrict processing: The individual’s right to request the restriction or suppression of their personal data. If processing is restricted you have the right to store it, but not use the data. An individual must be able to request restriction or suppression verbally or in writing, on or off-line and must be actioned within one month maximum. This right links to the right to rectification (Article 16) and the right to object (Article 21).
  • The right to data portability: The individual’s right to obtain and reuse their personal data for their purposes across different services and platforms. The individual must be able to move, copy or transfer personal data from one IT environment to another in a secure manner, without affecting data usability. This right only applies to information an individual has provided to a data controller. This right must be actioned within one month maximum, however this is extendable according to the nature and complexity of the data requested. In addition, such requests may be rejected under certain circumstances. Additional reading on this right is thus highly recommended.
  • The right to object: The individual’s right to object to the processing of their personal data in certain circumstances, and including the absolute right to stop their personal data being processed for direct marketing, on or off-line. Individuals must be informed of their right to object. An individual must be able to make an objection verbally or in writing, on or off-line and must be actioned within one month maximum. There are circumstances where data processing may continue despite an objection, if it can be demonstrated there is a compelling and legally justifiable reason for doing so.
  • Rights in relation to automated decision making and profiling: As described by Article 22 of GDPR, provisions for rights in the cases of:
    • Automated individual decision-making (making a decision solely by automated means without any human involvement); and
    • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
  • The GDPR applies to all automated individual decision-making and profiling processes and procedures. Solely automated decision-making that has legal or similarly significant effects on individuals has additional rules to protect individuals rights. Such decision making processes can only be conducted where the decision is:
    • Necessary for the entry into or performance of a contract; or
    • Authorised by Union or Member state law applicable to the controller; or
    • Based on the individual’s explicit consent.
  • It is essential to determine if any data processing falls under Article 22 and if so, ensure that:
    • Individuals are given information about the processing;
    • Provide simple mechanisms for individuals to request human intervention in the data processing, challenge or appeal a decision;
    • Conduct regular assessments to ensure systems described above are working as designed.

Are you a Data Controller or Processor?

 

As this article is for sole traders and SMEs only, in all likelihood you are a data controller, in that in the course of your business and online activities you are collecting, at the very least, individuals’ names and email addresses. The person or organisation collecting such data is a data controller, as defined in Article 4 of the GDPR;

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

In most cases a sole trader or SME will be collecting data, the processing of such data is most likely handled by a third party service provider such as Google or Mailchimp for example. The GDPR introduces, for the first time, direct obligations for data processors to data subjects or individuals.

This is why big players like Google, Paypal and Mailchimp (examples only) have been working to achieve GDPR compliance. They are now subject to regulatory penalties and civil claims by individuals pertaining to data processing and protection. Article 4 describes data processors;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What is a Data Protection Officer and do I need one?

If you are a sole trader or SME, depending on the type of business activities, in all likelihood you do not need to appoint a Data Protection Officer (DPO). Most likely you need to designate a named data controller, possibly yourself. There are circumstances under which data processors and controllers must appoint a DPO, as described by Article 37(1):

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

As most people reading this article are unlikely to need to appoint a DPO we won’t go down that rabbit hole!

Okay, so you made it this far, well done…that concludes Part 1.

In Part 2 we will delve deeper into the actual things you need to do as a sole trader and SME to your website(s) and other data collection mechanisms such as social media, email and mailing lists. We will also discuss some of the technical difficulties in complying with the GDPR for small operators.