Preparing for GDPR. What you need to know about the General Data Protection Regulations
Changes to the European General Data Protection Regulations take effect 25th May 2018 and if you’re a business with a customer base you need to know about them.
What’s the GDPR?
The General Data Protection Regulations are a new set of rules around data protection. They’ve been designed to a) unify the EU regulations around obtaining, storing and processing personal data and b) increase the control individuals have over their personal information.
In 1995 the EU adopted the Data Protection Directive (the DPD) to regulate processing of personal data. In 1995, however, the internet was a different place and the picture of data we have now compared to then is significantly different. The regulations of days gone by are largely no longer fit for purpose and we’ll all have to change with the times; enter stage right, the GDPR.
For most of our clients and partners, what we’re talking about here is how you use customer information. And the big question for most SMEs seems to be around gaining consent, namely the difference between the ‘opt-in’ and the assumption that not actively opting out is a ‘yes please, sign me up and put me on your database.’
The types of information included are (but not limited to):
- Addresses
- Employees
- Data with manufacturers
- Selling products
- Social media
- Customers photography
- Voicemails (recording phone calls)
- IP addresses
- Mobile device identity
There’s more to it obviously (much more), but here we’ll be clarifying the situation somewhat and and pointing you in the direction of some further reading and next steps.
How does it affect my business?
In order to understand the implications for your business, you must first determine how you fit into the controller/processor relationship.
GDPR changes are relevant to you whether you’re the controller of the data held in your business (you obtain information about customers), or the processor (you handle and use information). The ICO has clear and concise information to help you determine your position and responsibilities here and according to the ICO (Information Commissioner’s Office):
“data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Even if you aren’t directly collecting data on your customers, it’s likely you’ll still be affected by the new guidelines and it’s worth checking what your role in the process is so you don’t get caught out. There’s no need to panic if you’re thorough and don’t believe the hype about those crazy fines, but it’s always better to err on the side of caution, right?
What changes do I need to make now?
Though the changes aren’t being enforced until May, it makes sense to start getting your house in order. The ICO have a couple of great resources and checklists to get you on your way and we’ve picked out the significant changes that we’ll be addressing ASAP (and you might want to too):
1. Recording data: All organisations need to keep records of personal data processing activities, capturing the lifecycle of the data and the name and contact details of the data controller.
2. Consent: The biggie for mailing lists, offers, invites and calls.
- Consent to needs to be obtained by way of a physical tick box.
- Nope, ‘untick if you don’t want to receive emails’ is not going to cut it anymore.
- You need to reaffirm consent now. If customers are happy to keep receiving your communication, then you can add them to confirmed consented database.
- You must always have an unsubscribe option in all emails.
- If someone unsubscribes you need to remove them from everything, every trace must be removed.
- You don’t need consent to send automated emails, ie. bills.
- Any data received from clients must be checked for consent from their database.
3. Relevancy: Only use what’s necessary. Everyone now has the right to query what info you hold on them so only keep data that is necessary for what you need it for, ie the business you’re doing.
4. Accuracy: Data needs to be kept up to date and you cannot hold the data for a long time – if it’s not used for 12 months you need to delete it.
5. Security: With the recent spate of high profile data breaches, customers need to know their data is being kept safe. Keep records of:
- Who has access to it?
- Does it leave the premises?
- What encryption do you use to protect the data?
- Specify in privacy policies about this
- Employee training in data confidentiality
- Anti-virus protection
- Locked cabinets
- Crisis management policy in place, i.e. what happens if a laptop gets lost/stolen
Even if data is stored in the cloud, you need to record how this data is held and how it is protected.
Breaches must be reported within 72 hours and all individuals involved must be notified. This process must be in the privacy policy as do internal policies and crisis management (and as part of the SLA agreement).
6. Charging for information: You cannot charge to provide the info you hold on an individual.
7. Children’s data:
- Need parents / guardians consent
- Can’t collect their data if they are under 13
- Privacy policy needs to be written in a way children can understand
Further info:
- Elizabeth Denham and the ICO have made the transition to GDPR a simple one with their informative and comprehensive site and guidelines.
- Chiara Rustici is a GDPR expert and analyst and author of Applying the Gdpr: Privacy Rules for the Data Economy
- The official GDPR website aims to ‘educate the public about the main elements of the General Data Protection Regulation (GDPR)’, so probably worth a visit!
How are you feeling about the changes? Are you ready? In a bit of a tiz? Have we missed something crucial? Come talk to us about it @giantpeach