May 25th 2018 – the date the EU General Data Protection Regulation comes into force. The GDPR replaces the current Data Protection Act 1998 (DPA) and will impact all businesses that hold or process personal data of EU citizens. Broadly speaking, data protection is the category of law that deals with how our personal data is collected, controlled, stored or shared. The current legislation is outdated, technology has involved immensely in the last 20 years and the GDPR has been created to bring data protection legislation in line with current technology.
Non-compliance is not an option, the fines for breaching are huge! Not only the fines but breaking the law would not do well for business, it could damage your repetition and break down client relationships.
But what does it even mean?
As mentioned above the GDPR builds upon existing laws rather than completely new ones. The good news is that you should be doing most of it already under the DPA.
The principles are as follows:
|Lawfulness –||Data should only be processed when there is a lawful basis (consent, contract or legal obligation)|
|Fairness –||You should provide the individuals with the details around how their data will be used and how they can exercise their rights|
|Transparency –||GDPR requires the information to be provided in concise, easy to understand, clear language.|
|Purpose Limitation –
|Only collect data for specific and legitimate purposes|
|Data Minimisation –||Only collect data which is relevant and limited to what is necessary to the purposes you are collecting it for|
|Data should be accurate and kept up to date|
|Storage Limitation –
|Data should not be held for any longer than necessary|
|Security –||Data should only be processed in a manner that ensures security and protection against unlawful processing|
|Accountability –||It is your responsibility to demonstrate compliance
What is personal data?
All the obvious things like name, address, contact information, religious beliefs and sexuality will still be classed as personal data under the GDPR. However, the GDPR has expanded this definition to include IP addresses and economic, cultural or mental health information. Basically any data which is personally identifiable will be considered as personal data.
So how can you prepare?
Nominate a Data Protection Officer
Although it is not a legal requirement for every business to appoint a Data Protection Officer (DPO) it would be beneficial. Having someone take ownership of the data processes and inform all the members of the team about their obligations to comply with the GDPR could save your business time and money.
Make sure consent is clear and concise
Businesses in the UK have always been able to rely on implied consent. That is consent inferred from silence, pre-ticked boxes or even inactivity.
Under the GDPR, not only must consent be unambiguous and obtained through a clear and affirmative action but GDPR also requires businesses to show how they comply, keep a record and provide proof that consent has been given by the individual to hold and process their data. The individual must also be clearly informed on how to withdraw their consent at any time whenever they want to. These individuals must be made aware of this right prior to any consent they give and also on a continuing basis.
You can no longer hide the terms and conditions for consent, they must always be separate from your standard terms and you cannot make them too complicated so people won’t bother to read them. Put simply their consent must be a genuine choice, and cannot be a standard condition of service.
When collating personal data from your own website it can be slightly more straightforward than by other means. Consent can be provided by an ‘opt in’ tick box which is clear and unambiguous, (remember pre ticked boxes are a no no) and the proof is all recorded. When personal data has been collected elsewhere, consent forms are the most compliant way to stay in line with the GDPR. This way, businesses can make sure consent is specific, clear, prominent, opted-in, properly documented and easily withdrawn.
Review your IT policies
Are you doing everything you can to minimise the risks? You may have collected the data lawfully however it is equally as important that it is stored in accordance with the GDPR. Under the GDPR, there may be an increase in access requests since now businesses cannot charge for this. Which put simply means individuals have a right to get a copy of any information that is being held about them. How would you handle this? Are your databases clear enough to make this a quick and easy process? There are time limits in place. Also encrypt your data – Encryption is a better form of protection and if there was ever a breach then having the data encrypted would help to limit any potential fine.
Review your current policies and procedures
By acting now, you can ensure your terms and conditions and policies are adequate for the coming enforcement of the GDPR. By understanding your own policies, it will make compliance a whole lot easier should an issue arise.
It is important that any business that holds or uses personal data should not ignore the GDPR however there really isn’t any reason to panic either.
BEB can assist with re-writing your terms and conditions and policies, drafting consent forms and answering any questions you may have. www.bebconsultancy.co.uk Call us today on 01604 217365.
Extra guidance is also available here https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ from the Information Commissioner’s Office.