GDPR - No need to be scared
There are people out there trying to scare you.
In fact, the new General Data Protection Regulations are not so hard to understand and the steps you can take to ensure compliance are straightforward enough.
This brief set of steps is intended as a basic guide for for small and medium sized businesses who may not have had the time, or do not have the personnel to check what this means for them to date. There is plenty more detailed guidance online to be found and the Government publish some easy to understand guides to help you get started.
What are its main features?
The GDPR puts the emphasis on the organisation (in their jargon, the "Controller") to hold their information:
- for a specified legitimate purpose
- and only for the specified purpose
When does it start?
In the UK, it starts on the 25th May 2018
Why is it important?
Because it is the first update to the way we should handle and care for our data since 1998.
The world of data has changed so much in the meantime that it was time for an update. It is also overdue because it has become clear that none of us know the extent to which our data is traded, what it is used for and how open to abuse the current situation is. The way huge companies such as Google, Facebook and Amazon handle our data has become a topic for concern and is being challenged in the courts. We all feel we are behind the curve when it comes to being able to wrestle back our personal information. The GDPR attempts to remedy this by setting our rights and responsibilities for handling data out in much more detail.
The second reason is that failure to comply could result in prosecution and fines and nobody wants that, especially when you consider that the maximum fine could be as high as 4% of turnover.
The third is that the scope and extent of what is meant by "personal data" has expanded.
The fourth is that it is not limited to the EU, but covers organisiations and businesses whose reach goes outside the EU.
How will it affect me and my organisation?
- It will demand that you manage your data carefully, especially personal data
- It applies to both the people you employ and to the customers and prospects you deal with
- You will need to know and understand what information you hold and why
- You must create responsible systems and informed people in order to keep the data safe. Control of processes is the key to compliance
- You must show that you have regular routines to ensure you clean out data regularly
- You must be able to demonstrate compliance. You must be able to show this to someone. i.e. you must be able to prove it
- It puts the onus on you to be safe and secure
- It requires positive approval from those whose data you hold
What do I need to do?
- Make people aware. If you have staff, inform them of the existence of GDPR and explain that it is likely to lead to changes in the ways personal information is handled
- Record all personal data you currently hold and which you are likely to obtain in the future, where it came from and who it is shared with
- Create a plan to handle data covering:
- What data you hold and why (internal and external)
- How you intend to get consent for holding that information - remember, the onus is on you
- Review your processes for storing and handling your data and to determine how you will protect personal data
- Define "subject access requests" (who sees what, when and why)
- Create a process for handling data breaches -what are you going to do if something goes wrong? Who will you tell and how will you manage the breach
- Consider data protection as part of any new projects you are going to handle so you can minimise the risks and how you are going to handle them
- Hire a data protection officer if need be. Remember that this can be a third party organisation
What you will need to demonstrate
- Why you are processing personal data
- How long you will store it
- How to request correction or removal of personal data
- How to lodge a complaint and what authority oversees it
- Whether the collection of personal data is obligatory or voluntary and the possible consequences if the data is not provided
It is never to late to plan for GDPR. Your liability and risk will depend on how effectively you have complied with the new regulations. Although the impression is sometimes given that it will be much harder to hold data, this is not really the case. Holding data will be perfectly legal as long as you remember the acceptable rules for holding the data to begin with.
- Has the "data subject" given his or her consent to perform in terms of a contract?
- Does it comply with a legal obligation?
- Does it protect a data subject’s vital interests?
- Is it in the public interest?
- Is it in the "Controller's" (your organisation's) legitimate interests?
- Has the "data subject" given their consent to perform in the form of a contract or a legal obligation? Have they signed up to you holding this information?
If you can prove your data control hits these marks and you are protecting the data securely, then you should get no problems.