The General Data Protection Regulation, or GDPR, is a series of rules that have been put in place with the aim of protecting EU citizens from breaches in data and privacy. Any organisation that is involved in the processing of data, irrespective of Brexit, is required to conform to these guidelines or put themselves at risk of some very high fines.
This guide will set out in 10-steps the keys points of GDPR and just what your company needs to know about it.
The very first thing that you are required to do, and therefore the most important point, is that you must seek permission to save personal data, and this permission must be volunteered by your customers. This can be done via positive opt-ins, consent must never be assumed so silence and pre-filed boxes do not constitute the giving of permission. Ensure that you have a process in place which is easy to understand and offers customers the option to deny permission, this could be in the form of sending an email to customer support.
The GDPR lists a number of rights for individuals as follows:
- The right for persons to be informed
- The right of persons to access
- The right for them to have erasure
- The right for them to have rectification
- The right to put restrictions on processing
- The right to insist on portability of data
- The right to raise objections
- The right to not be subjected to decision making of an automated nature and profiling
GDPR presents a number of changes so it is important that you examine your existing procedures and ensure that you are ready for the changes ahead. Remember any personal data that you do hold is required to be held in a machine-readable and structured form.
Privacy Notices and The Right to Complain
There are some additional things that you will need to appraise people of under GDPR, these include the fact that any individual has the right to make a complaint if they feel that the way in which you are handling their data may be inappropriate. You should also advise people of your data retention periods.
The bottom line is that you should review any privacy notices you have in place and arrange to make any changes necessary.
Be Aware of your Data
Your whole team needs to understand exactly what types of personal data you hold. They should understand where it has come from and, more importantly, who it is shared with. Under GDPR you must keep records of any processing activities relating to this data; if you hold inaccurate data on your system then there may be consequences.
This will ensure that you are in accordance with the accountability principles that govern GDPR. These principles maintain that all organisations should be able to demonstrate how they are in compliance with the rules. This means showing you have policies and procedures in place that are effective.
Data Requests and Access
Your procedures will also need to be updated to show how you are able to deal with requests that take into consideration the new rules:
- In most instances, you will be unable to charge for dealing with a request
- Currently, you have 40 days to comply, this will now be a month
- In the case of any requests that are deemed excessive or are clearly unfounded you have the option to refuse or pass on a charge
When you choose to reject a request, you will be required to inform the individual making the request of your reasons and their right to make a complaint, which should be done within a one-month timeframe.
Breaches in Data
All organisations have a duty of care to report certain forms of the data breach to the ICO under GDPR. They may also be required in some circumstances to report these breaches to the individual as well. The ICO must be advised when there is a likelihood that the breach will present a risk to an individual’s freedom and rights.
This might be for example financial loss, damage to reputation, loss of confidentiality, discrimination or any other disadvantage of a social or economic nature.
In those cases where a breach may result in the individual’s rights and freedoms being placed under high risk, you must contact those people concerned to inform them.
It is necessary to have measures in place that will be effective in detecting, reporting and investigating this. If you fail to advise of a breach at the appropriate time you may be finned, there may also be a fine for the breach too.
Processing Personal Data
You need to give some thought to the lawful basis under which you process personal data – there are many organisations which will not have done this. This does not have many practical repercussions under the current law but under GDPR the rights of some individuals will be modified making this different.
The most noticeable example of this is that individuals have a greater right to request that their data is deleted.
All of this should be explained when you respond to access to the subject request. The lawful basis for GDPR is relatively the same as the provisions for processing in the DPA.
The types of processing activities that you carry out should be reviewable and your lawful basis for doing so should be identifiable.
Data Protection Officer (DPO)
You are required to name a member of your team as the DPO if:
- You are an organisation carrying out the frequent and orderly monitoring of individuals on a sizeable scale
- You are a public authority (except in the case of a court acting in a judicial capacity)
- You are an organisation that undertakes the large-scale handling of special groupings of data i.e./ health records, or information regarding criminal convictions.
If you belong to one of these categories then it is vital for someone within your organisation, or indeed a data protection advisor from an external company, to be made responsible for the compliance of your data protection.
It is important that this individual has the required knowledge, authority and support to do this properly.
Data Protection Supervisory Authority
If your company is active in more than one EU state, then you will need to decide on your data protection supervisory authority. This will be the place where your central EU administration takes place, or where any decisions governing the processing of data take place.
If you do not carry out cross-border processing this is not relevant.
Training and More Training!!
All of your team members will need to understand the new regulations, especially those who are directly involved with customer and client personal data – including Business Developers, Email Marketers etc. Your team must understand the impact that GDPR has on resources.