Replacing the UK Data Protection Act 1998, is the shiny new GDPR (General Data Protection Regulation) ruling. This EU legal framework comes into effect on 25th May 2018 and Brexit doesn't get the UK out of this one!
Fundamentally, if your business requests and stores information relating to an individual, i.e. customer, supplier or employee, your business will need to comply. Consider their name, email address, DOB, company name, address, gender, images, banking details, location information, social media connections and posts, medical information, IP address ... anything unique to an individual.
Non-compliance of the new regulation, could see businesses face fines of up to 4% of their turnover, or a cool 20 million Euros! whichever is highest.
With data security being common newsworthy headline content, the purpose of GDPR is to reduce these frequent problems and bring about greater care and responsibility with peoples personal information. Broadly speaking, these are the key points for businesses to consider and review:
- The type of data you need to store
- The purpose of the data
- How are you going to acquire the data
- Where will you store the data
- Who will you share the data with
Businesses will need to appoint a Data Officer who will be responsible for maintaining personal data security, locating and removing it on request.
An individuals consent will be required for the tasks of storing their personal information going forwards, but a process to review existing records is generally recommended.
- Double opt-in: A proven record must be retained, proving a person you contact has given you permission to contact them, via their details.
- Active opt-in: Pre-checked 'opt-in' check boxes are no longer valid. Failure to opt-out can no longer be considered consent. There must be visual clarity - no small text.
- Granular opt-in: If communications are varied in terms of content or type (SMS, post, email) or appropriate for some users and not others, then granular options for consent will ensure transparency and compliance.
- Unbundled consent: Consent to use personal data can no longer be a precondition of signing up to a service, unless it's entirely necessary. Consent to use or store user data must be separate from other terms and conditions you provide even if consent is written into the terms and conditions.
- Named acquires: Separately name your organisation and third-party data acquirers (if applicable) who will be relying on the user's consent.
- Record Keeping: Keep records of what the individual has consented to, including what they were told, when, and how they consented.
- Easy withdrawal: Users have the right to withdraw their consent at any time. Easy instructions must be provided.
Data EncryptionYour website should by now have an SSL Certificate (Secure Sockets Layer) installed. This will encrypt the transmission of your customer data when a user completes a registration or contact form. We have produced more information about
website security.Privacy policyYour website should have a privacy policy page written in plain, easy-to-understand English and include; your company identity, how you intend to use information provided, the lawful processing of user data and how long its retain for. Additionally, an explanation of an individual's right to complain to the ICO if they think there's a problem with the way you handle their data.
Let's get you some adviceThe ICO (Information Commissioner's Office) have issued an
online guide to getting ready for the GDPR. Further to this, we are ready to help you and have establish links with legal professionals who are on stand-by also. Call us it you're unsure.
How we can help you comply?We can help you meet the new GDPR regulations with a number of data services.
