The GDPR (General Data Protection Regulation) comes into effect on 25 May 2018 and replaces the DPA (Data Protection Act). The updated legislation will impact on many businesses due to a more precise definition of “personal data” than the DPA.
With less than one month to go it is important that you are taking your responsibilities under the new GDPR legislation seriously.
If you have not started to consider your obligations, don’t panic, there is still time. But you need to start preparing now! Seems a little overwhelming? Don’t worry – there are many great guides, tips and advice available online including direct from the Information Commissioners Office.
Not sure what the GDPR covers? It’s any data that your business holds (in any form) that refers to an identifiable individual (the “data subject”). That doesn’t just mean names and contact details – it also includes things like IP addresses, or details submitted in a contact form on your website.
The new legislation not only refers to information that you may obtain following 25 May 2018, but also the information you currently hold, so it’s crucial that you start to prepare now.
Why not firstly consider the information you currently hold? This is great place to start. If you no longer require customer data then remove it. If you don’t need it don’t keep it! This will put you on the ladder to becoming GDPR compliant. But don’t stop there!
Now consider the information you need to retain. Do you have consent to retain this information? Do you need to seek consent? Data subjects have the right to be informed about the collection and use of their personal data, whether it’s online or offline. You must provide individuals with information including your purposes for processing their personal data and how long you intend to keep it. You must also provide privacy information to the data subject at the time you collect their personal data from them. When you provide information you must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. You must regularly review, and where necessary, update your privacy information and bring any new uses of an individual’s personal data to their attention before you start the processing.
It is essential to keep a record of everything you are doing to be GDPR compliant. If you are ever challenged you will be required to evidence what you have done to be GDPR compliant and the processes you’ve followed. This is known as your GDPR Register. You need to understand your data and classify it; this will help you determine how and where the data is to be stored and who is required to control and process it.
Now the data has been identified, the next step is to evaluate it and how is it being collected, produced and protected. It is essential that you protect the privacy and identity of the data subject from the moment the data is collected until the day the data is no longer required and is destroyed.
Ongoing review of your data storage is crucial to ensuring any vulnerabilities and risks in the GDPR processes are identified and addressed to ensure compliance. All reviews and risks should be logged in the GDPR Register. GDPR should also be at the forefront of any new ideas, plans and processes that a business may consider.
Under the GDPR each and every data subject has the “right to be forgotten” – if an individual requests that their data be completely removed from your systems, you must comply. Should you receive a “right to be forgotten” request, whether verbally or in writing, you must respond within one month. Making sure that your data is well organised will make this process easier should you ever receive such a request.
Another great place to start is by referring to our article GDPR: 10 Things You Need To Know.
Here’s our last minute checklist for you to action!
- Audit existing data
- Document every action
- Ensure you advised the data subject about the information you hold
- Ensure you have consent (or another legal basis) to hold the data. If you are unsure about the data you are collecting and whether it is for a ‘legitimate interest’ then check out the ICO tool for determining that you have a lawful basis: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/lawful-basis-interactive-guidance-tool/
- Check your website is compliant – opt in forms giving consent, easy opt or withdraw consent, update your cookies policy, SSL Certificate and Privacy Notice, Terms & Conditions.
- Ensure you have written agreements with the with third parties who will have access to the data, and that they are also compliant with the regulation.
- Lastly, ensure all the above is in place by 25 May 2018!