We’re only days away from GDPR coming into force. Are you ready?
The EU’s General Data Protection Regulation (or GDPR as it’s more commonly known) comes into force on the 25th May. It replaces the Data Protection Act 1998 and overlaps with The Privacy and Electronic Communications Regulations (PECR), which covers the use of cookies and electronic marketing communications such as email, and it’s set to change the data protection landscape and how you store and process the personal data of clients and employees.
For any organisations that handles large volumes of personal data, being GDPR-compliant is vital.
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is designed to give people more control over how organisations use their data. The regulations overlap with The Privacy and Electronic Communications Regulations (PECR) which cover the use of cookies and electronic marketing communications eg email. In the UK, GDPR will replace the Data Protection Act 1998 and will be enforced by the Information Commissioner’s Office (ICO) who have powers to impose hefty penalties up to €20million or 4% of annual turnover (whichever is higher) for organisations that fail to comply with the rules. The fines also extend to organisations that suffer serious data breaches.
Under GDPR, an EU citizen, has a number of rights with regards to accessing, remediating and requesting the deletion of the data you hold. These rights will not change as a result of Brexit.
What constitutes personal data?
The Act regulates the use and processing of ‘personal data’ in electronic or ‘other’ relevant filing system that relates to a living individual who can be identified. This includes direct identifiable data (PID) eg name, email address, phone number etc and indirect personally identifiable data such as account numbers and ‘online identifiers’ such as cookies, IP addresses and geo-location data.
What are your obligations?
- To ensure that you have a lawful basis upon which to collect and process the data
- That you only process data for the original purpose that it was obtained and gain separate consent if you wish to use the data for more than one purpose eg you may need more than one tick box on your website if you want to enable the data subject to submit a form for the purpose of enquiring about your services and for the purpose of joining your mailing list
- That you will only store data that is relevant to the purpose for which it is being processed
- That you keep the data secure
- That you will not transfer the data outside of the EU unless there is an adequate level of protection
- That you will keep the data up to date
- That you will only keep the data for as long as you need it, or until such time as the data subject requests that you no longer hold it
- That you will notify, within 72 hours, the ICO and the data subject in the event of a serious breach of data
What are the rights of the ‘data subject’?
The ‘data subject’ has a number of rights with regards to the personal data that you hold. Specifically, these include:
- A right to be informed
- A right of access to a copy of the information comprised in their personal data;
- A right to rectification
- A right to erasure
- A right to restrict processing eg: to prevent processing for direct marketing
- A right to data portability
- A right to object to processing that is likely to cause or is causing damage or distress;
When you no longer need the data you hold eg if the data was obtained for the purpose of processing an application, you will need to destroy it in a safe and secure manner; unless it is needed for further processing.
How do you ensure you are compliant?
Follow these practical steps to ensure that you are compliant:
- Review the data that you hold and determine:
- What categories of personal data do you hold?
- How do you process personal data?
- What is the lawful basis upon which you have processed the data?
- Is the data up-to-date?
- e. Note: If you have no lawful basis you must delete the data by the 25th May 2018. You have until then to re-permission data subjects.
- Who has access to the data?
- Are staff aware of their and your organisations responsibilities when it comes to collecting and processing data?
- How will you respond to requests to access the personal data?
- Who will process personal data within your organisation?
- Who will be your Data controller? Who will be your data processors?
- Do you have written agreements with them? Example agreements can be seen here.
- Do you have written agreements with them?
- Do you have a data processing policy? When was it last updated?
- Do you transfer personal data outside of the EU? Eg via your CRM or Accounting system?
- Is your website GDPR compliant?
- Do you have a data privacy and cookies policy? This should set out the Data Controllers identity and contact details as well as details about the data you collect and process, for how long and whether it includes any automated decision-making.
- Does your website include a website terms page?
- Do you have a ‘cookie consent’ mechanism in place?
- Do your website contact forms include a tick-box requiring the subject to agreement to your terms and privacy policy?
- Do you include a separate tick box (or preferably a separate form) to get consent from the subject to join your mailing list (this must be unticked)
- Does your website have an SSL certificate (displays as a green padlock)?
The ICO provides a useful checklist with 12 steps to get compliant which can be viewed here.
To find out more about this article please contact us.