Data and how we process it has changed significantly since the Data Protection Act 1998 (DPA), and now it’s time for the law to evolve as well. Introducing… GDPR (the General Data Protection Regulation).
GDPR is a new EU regulation to enforce stricter laws on data storage and processing. Protecting EU residents and their data, the new legislation applies to all businesses who hold or deal with any data belonging to an EU resident, no matter where in the world they are based. The full regulation can be read on the EUR-Lex European Union Law website – it’s fairly lengthy so we’ve listed the main points for you below.
One of the biggest changes that will come with GDPR is its definition of ‘personal data’, this can be seen in Article 4:1 of the GDPR regulation.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that person.
Personal data, is any data which can be used to pinpoint a particular individual.
This makes the definition of what personal data is, much more explicit. In summary, what GDPR means by personal data, is any data which can be used to pinpoint a particular individual. This could be anything from a name and email address to location data or cookie information and everything in between.
When does GDPR come into effect?
The new legislation was implemented by the European Parliament on 27th April 2016 but will not be enforced until 25th May 2018. By this time, all businesses must conform to GDPR.
How will Brexit affect GDPR?
Regardless of what the outcome of Brexit is and what may change, GDPR will still apply to the UK. Many businesses will still be holding and processing EU residents data so must be GDPR compliant. Since the enforcement date will come before the United Kingdom officially leaves the EU it is best to form a plan ready for when it is enforced.
How do I prepare for GDPR?
Many businesses have already started to prepare, for example, Lloyds Bank overhauled their CRM ready to comply with GDPR. Other companies such as Wetherspoons have decided this is the best time to be transparent with their customers by deleting their entire mailing list, claiming email marketing to be ‘intrusive’.
It’s clear to say that no one solution will fit all. Every company deals with data differently and will have different processes/platforms to deal with various types of data. However, there are some ways to prepare:
Complete a data audit
The key thing to do will be to conduct an audit of your organisations data. Through this, you will work through all processes and services that you use. This will allow you to identify what data is being processed and stored. With that information, you will be able to work out if you actually need to keep data, adjust what data is processed, modify it to be more securely housed or delete it entirely.
Check third-party services
A lot of us in the tech sector rely on services and tools that make our lives easier and give us more time to do the work that counts. Work through all of your third-party services and check if they are GDPR compliant. After all, if you trust a third party to process or store data, the right thing is to make sure that they are going to handle the data sensibly and securely.
This can cover so many different types of services; software, content management systems, websites, apps, mail services, coding libraries and website plugins are just a few that you should check.
Appoint a Data Officer
If your organisation deals with a large amount of data or it is particularly sensitive, it may be time to appoint or hire a Data Protection Officer (DPO). Defined in the GDPR regulation article 39, below are the minimum tasks of an appointed DPO:
• To advise the organisation and employees on how to operate within GDPR and other data protection laws
• To monitor company compliance with GDPR and other data protection laws
• To be the first point of contact for individuals whose data is processed (be it staff, users or customers)
Even businesses of the smaller variety should have an acting DPO, who is in charge of how the company deals with data and keeps it in line with GDPR regulations.
Consent or repent
A large part of GDPR is about an individual’s given consent while being completely transparent about data collection. Permission needs to be explicitly given by the individual upon data submission, and it needs to be made clear what is going to happen with the data and where it will be used. This could be something as simple as a check box that needs to be ticked so that the individual knows exactly how their data will be stored and used after filling in a contact form.
Know your customers’ rights
With this act, more rights will be given to individuals concerning their data. These rights which are listed below, are similar to the DPA although they have been improved with more detail:
• Right to be forgotten
• Right of erasure
• Right of access
• Right of rectification
• Right to restrict processing
• Right to data portability
• Right to object
These rights allow an individual to have more control over their data. Adapting or creating processes to handle these rights should be a priority, ready for if a request is submitted in the future.
This hopefully all makes a bit more sense now.
GDPR can initially feel like a hazardous subject to tackle, but with the information above, you should be well on your way to understanding the changes that it will impose. Be considerate and courteous with the data you hold, keep it secure and simply don’t take what isn’t yours without asking.
Talk to us about GDPR or your communications needs in general, we’d love to hear your thoughts.