At Young Living we have always been dedicated to protecting the data of everyone we work with. New regulations require that all European Brand Partners protect data in ways that align with the specified protocol of their national Data Protection Regulators. You may not have to register with your individual National Data Protection Regulatory; however, you will be responsible for following the new data protection rules and documenting the steps you have taken.
These tips will help you keep the important data you collect safe. Please visit the website of your national Data Protection Regulator and follow these tips and best practices:
- Make sure you know which data comes through YL and which data is your own. Keep them separated.
- Keep a record of what personal data you hold and know what you use it for.
- Do not keep data that is out of date or no longer needed, set a limit (write it down) for yourself how long you are going to keep personal data.
- Review and delete unnecessary data regularly.
- Before collecting personal data, make sure you know if this data is collected in your function as a YL Brand Partner, or if the data is for your own purposes.
- If you are collecting the data for yourself (not intended for YL related events or newsletter etc; even selling YL products to member of the public on your own webpage), then the personal data is yours and under your responsibility. Do not use this data to sign up someone with YL. Firstly, it is against the YL policies to sign someone up without their knowledge or them being present, secondly you need the written consent (for instance an email from the data owner, which you need to keep archived securely) to share his/her personal data with someone else.
You must also let the owner know how long you plan to keep their data. This is usually done through a privacy notice. Put a simple statement on your website—look at the ICO website for examples https://ico.org.uk/global/privacy-notice/ (or check the information from the data regulator in your country).
- Make sure the data you hold is accurate and correct.
- Allow individuals to request their data to be deleted.
- If the data deletion request refers to YL related data, please forward this deletion request to Europe Member Services firstname.lastname@example.org
- If the data deletion request refers to non-YL related data (your events or newsletters, or data your received via your own online shop/webpage), it is then your responsibility to have this data deleted within 28 days (including emails, excel lists, word documents etc, but excluding invoices) in writing (e.g. email).
- Please encourage Young Living Brand Partners or retail cutomers to contact Young Living Member Services regarding personal details that are in their Young Living account.
- If you are a U.S. Brand Partner or a Brand Partner in any other YL market and have members or customers in Europe, note that you are required to follow the new data protection regime and document the steps you have taken.
- If you need data to perform the contract (i.e., name, address, telephone number, email …) and the customer wants their data deleted, inform them that they cannot have goods delivered without their data being kept. Members should contact Young Living Member Services regarding personal details that are in their Young Living account that could affect delivery of goods. They can also update their own information in the Virtual Office.
- Make sure your records are easily accessible (but secure) and up to date.
- If the customer requests all the data you hold on them to be sent to them, you must do this within 30 days of the request, but only after you verified that this request comes from the data owner. No one (not even a relative) may ask for someone else’s personal data.
- You must have written consent to market to customers. Marketing can include making recommendations for specific products.
- Any personal data of your organization in the Virtual Office is already pre-screened and checked for possible “opt outs” to receive advertising information. If someone in your organization has “opted out,” you cannot send them emails with advertising content, information about products, events, or similar. Contact due to order difficulties is not affected by an “opt out.”
- Make sure the data you hold is secure, keep your customer’s data in a locked filing cabinet or on a secure computer that no one else can access. Look at passwords, theft prevention, and tracking measures for your computers and mobile phones and restrict access to your files and office space. If you use cloud storage facilities or other service providers, make sure that they are sufficiently secure as well.
- If the data is breached (i.e., lost or stolen), then you are required to notify your national data protection authority within 72 hours of the breach.
- Unfortunately, “WhatsApp” is not compliant with GDPR, as it takes all contact details on the phone and shares it other Facebook Companies (see their Privacy & Terms). Sharing data with “someone else” can only be done with consent of the data owner.
- Avoid writing down personal data (as best possible) on notes on little stickers or paper, which could get lost easily.
- Keep consent archived (securely)
- Do not leave your laptop, phone, iPad or similar in the car overnight.
- A shredder is strongly recommended to get rid of any printouts or old paper documents. Never just throw them in the normal waste bin.
- Delete old files and empty the “bin” on your laptop
- Before you download a new updated file, delete the old one
- Always make sure you speak to or email with the data owner directly when discussing personal data
AS A DATA CONTROLLER YOU MAY BE LEGALLY OBLIGED TO REGISTER WITH YOUR NATIONAL DATA PROTECTION AUTHORITY.