A Business Guide to GDPR
What Your Business Needs to Know and How to Get Ready
Everyday, businesses encounter data such as email lists, spreadsheets, databases and not to mention the data inputted, stored and transmitted from websites.
So all the growing talk about GDPR has motivated me to research quality and reliable advice which is easy to understand, so I can create an action plan to keep lawful. This is what I have learned below. I hope it helps - do let me know in the comments below.
What is the GDRP?
It is a European directive to replace the Data Protection Act 1988. Regardless of whether the UK stays in the EU, GDPR will launch on 25 May 2018 so businesses need to be ready or possibly risk being fined if they are found breaking the new regulations.
Why the change?
Technology and how we use it has evolved considerably since 1988, so GDPR aims to be more relevant to issues citizens’ rights, particularly around issues such as sharing of data, harassment etc..
A brief overview of GDPR
The ICO say “For [data] processing to be lawful under the GDPR, one has to identify a lawful basis before you can process the data” which include:
· Consent of the data subject; freely given, specific, informed and unambiguous.
There must be a clear sign of positive opt-in i.e. consent cannot be inferred by silence pre-ticked boxes, silence or inactivity. There must be simple ways for people to withdraw their consent to share their data. If the data subject is under 16 years if age, you may have to seek permission from a guardian or parent.
· Processing of data is necessary to perform a contract
· Processing of data is necessary to protect the vital interests of a data subject or person
· Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
· Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
The GDPR also creates new rights for individuals and strengthens others which currently exist under the Data Protection Act:
The right to be informed - data subjects are entitled to ‘fair processing information’ typically a data notice explaining how their personal data is used
The right of access data - subjects will have the right to obtain conformation their data is being processed, access to their personal data and other supplementary information
The right of rectification – data subjects are entitled to have personal data rectified or put right if it is inaccurate or incomplete. If the information has been shared with third parties, you must also inform them of the rectification and tell the data subject who those third parties are
The right to erasure – also known as the right to be forgotten, an individual can request deletion or removal of data where there is no compelling reason for its continued processing
The right to restrict processing – individuals have a right to block or suppress data resulting in storage only permissions
The right to data portability – allows individuals to obtain and reuse their personal data for their own purposes across different services
The right to object – processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing authority (including profiling) and processing for purposes of scientific/historical research and statistics
Rights related to automated decision making and profiling - individuals have the right not to be the subject of a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on the individual. This does not apply under contractual conditions, authorised by law or if based on explicit consent.
Accountability and governance – businesses must implement technical and organizational measures that show they comply with GDPR. Examples include staff training, internal audits of data processing and reviews of HR policy and where appropriate the appointment of a data protection officer
Breach notification – businesses will need to report all types of data breach to the relevant authority and possibly individuals where it is likely to result in a risk to the rights and freedoms of the individuals affected
Transfer of data – restrictions on the transfer of data outside the EU, third countries or international organisations so GDPR is not undermined. This affects many businesses using services such as MailChimp where data is stored on US servers.
Natural derogations – states (countries) can introduce additional exemptions to the GDPR for reasons such as national security, defence, breaches of ethics etc…
In brief, the GDPR focus around the storage and use of personal data; simply, businesses are required to be more transparent about what data they are collecting, how it is being stored and for what reasons. This sounds easy but the change could massively affect how businesses operate.
An example of how it could affect a retail businesses
For example, if Mrs. Smith visits your high-street store and you ask her for her email address to be put on a mailing list for special offers, you will need to have a statement prepared saying exactly what data you are storing, where it is being stored, how you will use it, why you will use it, how long you intend to keep the data for, direction about how the customer can opt out and where she can request access to her data.
Get ready for the GDPR with these 6 questions
- Consider what data you hold: who holds it and who has access to it?
- Consider where that data came from: how is it up-dated, how regularly it is up-dated, how long you hold it for?
- Consider what you do with the data: who you give it to, how do you transfer it to other people/organisations (including transfer to the BMC)?
- Consider the security of data: where do you hold data, what data do you encrypt/password protect?
- Do you have permissions from your members to do what you do with their data, when was that permission (consent) given?
- Do you have a data protection policy, is it adhered to, is it current?
Download this information leaflet here from the ICO: GDPR: 12 steps to take now.
And if you have advice for businesses about how businesses should prepare for the GDPR? Let us know in the comments below.