On 25 May 2018, new regulations on handling and processing personal data come into force that every business, large or small, needs to ensure they are compliant with.
The General Data Protection Regulation (GDPR) is EU legislation. Despite Brexit, it will apply in the UK too and GDPR will build on our existing Data Protection Act regulations.
There are potentially large fines for breaches, so it really is in your interests to get ready for the new rules.
Six key principles
There are six key principles to the GDPR, which says that personal data should be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit, legitimate purposes
- Adequate and relevant and limited only to what is necessary
- Accurate and kept up to date
- Kept in a form which allows the identification of data subjects (i.e. individuals) for no longer than is necessary
- Processed in a way which ensures appropriate security
This is any data which specifically identifies an individual or from which you can identify an individual. Here are some examples of personal data:
- Name & Date of birth
- Telephone number, email address & home address
- Marital status
- Nationality & Ethnic Origin
- Bank account details
- Employment details
- Criminal convictions
- Financial history e.g. bankruptcy/CCJs
- Credit card information
- IP address
- National Insurance number
- Details of dependents
- Emergency contact information
- Residential status
This could be data from customers, employees or third parties (such as suppliers).
Processing personal data
The regulations cover any activity that involves the use of personal data. Simply holding a database of customers with personal information such as names, dates of birth, email addresses, etc., would mean the GDPR applies to you.
When you collect personal data, you must let the data subject know why you are collecting it and what the legal basis for collecting it is.
There are several legal bases you can rely on which will permit you to process personal data – the most common one being that the individual has given you their consent to do so.
Previously, you could assume someone’s consent if they did not tick a box NOT to receive information, now you have to get their active consent opting in.
From 25 May 2018 onwards you will no longer be able to rely on statements like this:
“If you do not wish to be contacted by us with details of services that may be of interest to you, please tick here.”
Instead, you have to use an opt-in statement like this:
“We would like to contact you by post with details of services that may be of interest to you. If you agree to be contacted in this way, please tick here.”
You will need to conduct an analysis of the consents you have received in the past and determine whether you can still rely on these to process personal data going forwards.
Although obtaining consent will be a key way for you to process personal data it must be freely given but you need to be careful not to get consent just for the sake of it. Consent should not be used as the default option – always think about the why and the what of collecting!
Greater rights for individuals
One right individuals have under the GDPR is to obtain a free copy of all personal data that you hold on them, which you must provide within one month. They also have the ‘right to be forgotten’, i.e. have their personal data deleted.
You should not hold more data than you actually need and must ensure it is up to date, and secure. This could range from implementing a clean desk policy and shredding bins to arranging cyber-security insurance.
As you can see there is quite a bit to think about, so here’s a useful checklist of points to consider:
Checklist of points to consider:
- Conduct an audit of all the personal data you hold, including what personal data you are processing, how you obtained it and who you share it with. Remember this doesn’t just affect customers and clients, but your employees too!
- Know how you process data and record the legal basis including how and when consent was received (if you are relying on consent)
- Make sure you have a documented procedure for dealing with requests from data subjects, as well as data breaches
- Make sure any client or employee facing privacy policies are GDPR-compliant. You may need to ask for independent legal advice
- Train your staff – so they understand what they need to do and how they can play a key role in compliance
There is a wealth of information on the Information Commissioner’s (ICO) website, the UK’s data protection regulator. The ICO has recently established a hotline to help small organisations prepare for the GDPR. Go to: https://ico.org.uk/