The GDPR (General Data Protection Regulation) builds on the existing Data protection act 1998. GDPR will apply to any business that processes personal data of EU citizens and will give individuals more rights on how businesses use their data.
It relates, in particular, to Personal data. That is any kind of data that can be used to identify a natural (living) person. This means information which can identify a person; name, identification number, genetic information, economic information or cultural details for example and Sensitive personal data; age, gender, racial or ethnic origin, political or religious beliefs, health information and records, or anything about a person’s sex life or sexual orientation.
It’s a good thing
As a consumer, it means not being bombarded with emails you didn’t sign up to or having your details on file with companies you have no interest in. It’s better protection for us as individuals.
It makes good business sense to only contact individuals who have an interest in your products or services. Therefore, not to risk the company’s reputation by badgering people who do not want to know.
Put simply, businesses should only hold data relating to an individual if it is appropriate to do so and only for as long as it is relevant. If someone signs up to receive a newsletter, giving their name, email address, phone number etc. this information can only be used for the purpose stated, that is, to send them your newsletters. If they unsubscribe you must stop sending these messages to them.
It’s about being clear and appropriate, so the GDPR principles require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposed and not further processed
- Adequate, relevant and limited to what is necessary, in relation to the purpose
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects. For no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Source: ICO website. For more information visit: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
A Privacy Statement or Fair Processing notice, therefore, is about giving people clear information about what you’re doing with their personal data. Why you’re processing their data (the purpose). Who you may share the data with (customer, employee, supplier, etc.). And how long you plan to have their data for (the retention period).
If you are contacting people, for example for marketing, did the individual sign up to be contacted? Be explicit in what it is they are signing up to receive and only contact them for that purpose. Individuals should be asked to double opt-in. This may be a button on a website followed by a link in an email to get their confirmation. You may be asked to prove they have given consent.
What do I need to do?
GDPR has legal obligations for companies, so you need to be aware of these. The requirements include secure storage of data, maintaining and deleting data as relevant and providing details of the data held should an individual request access to that information. Make sure to password protect sensitive documents and only share via a secure method so data can’t be accessed by others. Lock your computer screen if it is unattended. Don’t view personal data in a location where the document or your screen can be viewed by others. Companies are also responsible for reporting any data breach, such as accounts being hacked or loss of a data memory stick, with possible penalties to be paid.
- Review current data
- Check records of consent
- Write your policy
- Publish a privacy statement
- Live by your process
For more information visit check out the ICO guide – Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Review current data
Check what data you have on people and then make sure it is relevant for a legitimate purpose and up to date.
Delete any personal data you hold that is no longer relevant.
Password protect and lock away data so that you can be sure everything is securely held.
Check records of consent
Do you have records of consent given with the purpose for contact? Give individuals the option to unsubscribe and if they do remove them from your list.
Write your policy
Write a policy of how you will store and manage data and follow it. Share it with any staff so they know their obligations
Register with ICO if you handle personal data.
Publish your privacy statement
Write a privacy statement so individuals know what data may be held, for what reasons and what their rights are.
Make this available to people, maybe on your website.
Live by your process
In summary, think:
Why did I get the data in the first place and do I still use it for that? Do I need to keep it for legal reasons, VAT registration or insurance agreements etc.? If not delete it!
For more guidance on GDPR and what you need to do before the 25th May 2018 I recommend you go to the ICO Guide to the General Data Protection Regulation (GDPR).