The General Data Protection Regulation (GDPR) is an EU Law which will take effect as of the 25th May 2018 and in the UK will replace the Data Protection Act 1998. It is quite simply an effort to give users better control over how organisations use their personal data but in-turn is putting a lot of scrutiny on UK and European businesses to ensure they gain clear consent before gaining and using data from users and customers.
As with all EU Laws there are of course a multitude of areas covered, however there are a few key areas which will effect businesses who collect and use people’s data and the consequences for not abiding by these new rules can have serious penalties – approx 4% of a businesses annual turnover in fact! So it’s imperative to ensure your business now operates legally under this new law and you incorporate new data protection strategies to adhere to these rules.
Before I get started the one thing I must make clear is this effects everyone in business, “But me and my business don’t use people’s data so it doesn’t apply to me” is a common response I hear to this, but you couldn’t be more wrong if you are thinking this so please don’t be complacent. The reason this applies to everyone is because the EU are broadening their remit when dealing with people’s data – right down to simply keeping a client’s email address…This is usually the moment the penny drops…do you have an email address of a client who you write to? Of course you do! You probably have hundreds if not thousands! And have these clients actually given you permission to keep their email address on file? No? Well then you my friend are in breach of GDPR and need to quickly sort this.
So let’s look at the key aspects being imposed by GDPR:
- Controllers (business owners) must ensure that any personal data is processed lawfully, transparently and for a specific purpose
- Once that purpose is fulfilled and/or is no longer required then it should be deleted
- User’s consent must be an active and affirmative action by person
- Controllers must keep proof of how and when an individual gave consent
- An individual can withdraw their consent at any time
As I stated above there are of course a number of areas covered within GDPR but these are the core aspects which apply to everyone. So let’s discuss each aspect in more detail.
Personal data must be processed lawfully, transparently and for a specific purpose
Once that purpose is fulfilled then it should be deleted
In simple, if you no longer need to keep someone’s details (i.e you’ve not worked with or spoken to that person in a year) then you have to delete the information. Even if someone has given you their business card and you never called them back but still have the business card – it was likely implied that you could keep their business card forever, but unless that person actually signed something to specify this then you need to get rid of it.
Users’ consent must be an active and affirmative action by person
Controllers must keep proof of how and when an individual gave consent
No matter how someone has given you consent to keep their detail on file you now must keep a copy of this to ensure you have clear and concise traceability to the moment they consented. This is as much for the user’s benefit as it is your own.
An individual can withdraw their consent at any time
Again this one is pretty self-explanatory but in simple, if a user contacts you to say “I no longer want you to keep my details on file” then you legally have to delete every piece of data you have on that user. No questions asked.
So they are the core areas covered in GDPR and where you will likely need to make a few amendments to your policies and procedures going forward within your business.