What is GDPR? Things To Consider Before The 2018 Deadline

55815-rawpixel-com-550994-unsplash.jpg

*Disclaimer*

Any information found on this blog post has been researched and sourced online. Becoming GDPR is solely your responsibility and we do not accept any liability for any action you have taken as a result of reading this blog post. We always recommend consulting a legal professional to make sure you are GDPR compliant.

On the 25th May 2018, The General Data Protection Regulation (GDPR) becomes law. Currently, the UK relies on the Data Protection Act 1998 but this is soon to be replaced by GDPR which introduces tougher fines for non-compliance and breaches and gives people more say over what companies can do with their data.

Who does GDPR apply to?

If you process EU residents personal data, GDPR probably applies to you. Whether you are a ‘controller’ (collecting the data and deciding what to do with it) or ‘processor’ (actually processing the data), you need to apply to the GDPR rules. This applies even if you are outside the EU but are processing EU residents data.

Once the law becomes under effect, you must ensure:

  • All data is being processed lawfully, fair and transparent - people need to know why you possess their data and what you are using it for.

  • The data is only being used for the purpose it was collected for in the first place.

  • The data you collect is relevant and necessary - eg if you don’t need their address, don’t ask for it.

  • All data is up to date

  • You only keep data you need - if you don’t need it you must destroy it.

What counts as personal data?

The EU has expanded the current definition of personal data under the GDPR to reflect the types of data that organisations now typically collect about people. Anything that counted as personal data under the Data Protection Act still qualifies as personal data under GDPR but online identifiers such as IP addresses and economic, cultural or mental health information also now qualify as personal data. It’s also useful to note that even identifying individuals as employees within a business still counts as personal data, even if it is not about them personally.

How do I get consent under the GDPR?

Consent must be an active, affirmative, positive action by the data subject, rather than passive acceptance like tick boxes to opt out. The subject must positively agree they understand and are happy for you to possess their data.

It is important you are not forcing consent on the subject and that you also make a record of how and when the subject gave the consent that you do receive and that they have the option to withdraw their consent whenever they want. If your current model doesn’t meet these new rules, you’ll need to make it GDPR compliant or stop collecting the data when the GDPR applies in 2018.

How have individual rights changed?

GDPR requires all people the right to to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, who gets to see it. The subject access request rules have also changed - this must now be free going forward as the previous charge of £10 to retrieve their personal data would put people off. Subject also has the right to remove their data from a database and a right to digitally export the data.

Note: If the subject requests for their data to be deleted but you have a lawful reason to keep it, you can. If not, it must be deleted. 

How do i avoid a data breach?

As a business you must demonstrate you are compliant to GDPR are practicing GDPR. Think about documenting everything you do so if it comes to the crunch you can easily demonstrate your compliance (what you’re doing with the data, how you collected it etc).

If you do breach any of the new rules, it is important that you document them - no matter how small. Even if you believe someone may have looked over your shoulder at some private information - document it! It is your responsibility to inform the data protection authority of any data breach that risks peoples rights and freedoms 72 hours after you become aware of it. However, if you don’t believe it is necessary to report, having it documented will help fight your case if it does turn out to be a breach.

You will also need to consider your IT security. If your data is stored digitally, is this data secure? If it is in the dropbox how easily can this be accessed? Is dropbox available on your phone? If your phone is stolen will it be easily accessed? All of these minor details and possibilities need to be considered and you need to prove you have considered them if you are ever questioned. 

Marketing Consent 

When you need consent for Marketing, you must decide whether the data you currently own has been obtained in a GDPR compliant way.

If you are collecting data from third party you must make sure they have collected the data in GDPR compliant way as you will have to demonstrate you have checked the data was GDPR compliant and that the subject is aware that their data is being shared with you or other third parties. Similarly, any third parties such as your Accountant that have access to your data need to be GDPR compliant.

If you are using people’s data for email marketing through softwares such as Mailchimp have a function called “single opt in” and  “double opt in”. Both of these collect email addresses easily and safely but you may want to try “double opt in” as it includes an extra confirmation step that verifies each email address - which is great to prove your are GDPR compliant! Mailchimp will also record this for you in the software so that if you need to retrieve evidence at a later date to prove you have complied to the GDPR rules, you can.  

Finally, Consent isn't for life. Even if your subject once agreed to sign up to your mailing list, it is lawful to just check every 2 years of so that they are still happy to renew their consent and receive your emails. You cannot take the approach that you just assumed they were, it has to be POSITIVE consent. 

All of this means, that if you currently hold people's information, you must decide whether the data you possess was collecting in a GDPR compliant way. For example, if the subject failed to un-tick a pre-ticked box that gives their consent, this is not acceptable and you will need to obtain consent again, ensuring it is done in a GDPR compliant way. 

For all queries, visit the ICO website - https://ico.org.uk/ 

*Disclaimer*

Any information found on this blog post has been researched and sourced online. Becoming GDPR is solely your responsibility and we do not accept any liability for any action you have taken as a result of reading this blog post. We always recommend consulting a legal professional to make sure you are GDPR compliant.