What is GDPR?
If you’re a marketeer or business owner, or even just someone in tune with the news you’ve probably heard of GDPR but what is it exactly?
GDPR stands for General Data Protection Regulation and is Europe’s new framework for data protection laws which will come into effect on May 25th 2018. It is going to replace the previous 1995 data protection directive which current UK law is based upon, with the view that there will be a greater transparency between data controllers companies or organisations that collect data) and data subjects (the individual the data concerns).
Under the new laws, personal data will be required to be processed in accordance with 6 principles. Summarising, the data must:
Be processed lawfully, fairly and transparently
Be accurate and up to date
Be processed with appropriate security measures
Be collected for specified, explicit and legitimate purposes
Be relevant limited to what is necessary
Permit the identification of data subjects for no longer than necessary
Who does this apply to?
Even if you’re based outside of the EU, if you process or control the data of EU citizens, GDPR will apply to you. The potential penalties for falling foul of the new legislation can be anything up to €20 million or 4% global venue fines, whichever is greate.This means that regulators mean business and so your company cannot afford to ignore GDPR!
What do you need to before May?
Review your data
Compliance with new laws must be documented, so take a look at the data you currently hold and ensure to identify all of it. This not only includes records of customer records such as email addresses and phone numbers, but also all personal data of your employees. After the review, you should be able to clearly show the data flow in and out of your business, including what exactly is held, where it was collected, with whom it was shared, and what was done with it.
Ensure processing is legal
In order to be considered lawful, processing should only be undertaken after the consent of the data subject is received. This consent must be actively given and not assumed and the subject must know what they are consenting to, how their data will be processed and how long it will be retained for. In addition to this your business must record how and when consent was obtained. However, a contractual agreement can displace the need for consent, such as the use of cookies to track products added to shopping carts prior to purchase. As shopping cart data processing is necessary in the lead up to an e-commerce contract, consent is not required.
If your company outsources any data processing activities, you are still responsible for ensuring that they are acting in a GDPR compliant manner. This could mean providing a written contract between your company and the outsourced one which outlines the rules that they must process in accordance with.
Revise privacy notices
All internal and public-facing ones privacy notices should be updated to ensure that they include; your business identity, how personal data will be used, the lawful basis for each processing activity (Consent or contractual agreements), how long personal data will be retained and information on how the data subject may complain to the ICO. All notices should be free and easy to access, transparent and concise omitting all legal jargon.
Prepare for the data subjects new rights
Under the new GDPR, data subjects are to receive a variety of new rights. After the 25th May, they will be able to request a full copy of all information held about them, request amendments to the information, or ask that it be deleted. If a subject enquires about accessing their data profile, it is your duty to respond within a month. It could be a good idea to template some responses and create systems that can fulfil any deletion requests of data subjects.
Update your internal processes
It is important to update your processing before the arrival of the 25th May so that staff can be trained in compliancy and taught to fill out appropriate documents, minimising your risks of infringing on the new rules. We recommend that companies should draft; an ICO data breach report, a data subject breach notification, a revised data protection policy, an information security policy, an impact assessment for processing activities and data protection training materials. The new GDPR rules state that if a business carries out “regular and systematic monitoring of individuals” that an official data protection officer should be nominated.
Here at CCM we want to make sure all of our clients are GDPR ready, the regulations will affect us too so we know the importance of preparing. Keep checking our blog post for more GDPR information and tips. If you’re a client of ours and would like more information please get in touch with us on 01625 453 050 or email info@cobaltcatmedia.com.