The General Data Protection Regulation (GDPR) is an EU Law which will take effect as of the 25th May 2018 and in the UK will replace the Data Protection Act 1998. It is quite simply an effort to give users better control over how organisations use their personal data but in-turn is putting a lot of scrutiny on UK and European businesses to ensure they gain clear consent before gaining and using data from users and customers.
As with all EU Laws there are of course a multitude of areas covered, however there are a few key areas which will effect businesses who collect and use people’s data and the consequences for not abiding by these new rules can have serious penalties – approx 4% of a businesses annual turnover in fact! So it’s imperative to ensure your business now operates legally under this new law and you incorporate new data protection strategies to adhere to these rules.
Before I get started the one thing I must make clear is this effects everyone in business, “But me and my business don’t use people’s data so it doesn’t apply to me” is a common response I hear to this, but you couldn’t be more wrong if you are thinking this so please don’t be complacent. The reason this applies to everyone is because the EU are broadening their remit when dealing with people’s data – right down to simply keeping a client’s email address…This is usually the moment the penny drops…do you have an email address of a client who you write to? Of course you do! You probably have hundreds if not thousands! And have these clients actually given you permission to keep their email address on file? No? Well then you my friend are in breach of GDPR and need to quickly sort this.
So let’s look at the key aspects being imposed by GDPR:
- Controllers (business owners) must ensure that any personal data is processed lawfully, transparently and for a specific purpose
- Once that purpose is fulfilled and/or is no longer required then it should be deleted
- User’s consent must be an active and affirmative action by person
- Controllers must keep proof of how and when an individual gave consent
- An individual can withdraw their consent at any time
As I stated above there are of course a number of areas covered within GDPR but these are the core aspects which apply to everyone. So let’s discuss each aspect in more detail.
Personal data must be processed lawfully, transparently and for a specific purpose
So firstly you need to ensure you ‘process’ users data lawfully, meaning you must keep the information safe from prying eyes (encrypted areas if online etc) and only be available to the members of your team who are listed in your Privacy Policy…which leads to the next point of ‘transparency’. This means your business must have a privacy policy in place which explains how you use people’s data and users should be able to see this easily on your website or it should be to hand if someone requests to see it. If you don’t have one then write one up now! And finally a ‘specific purpose’ is pretty explanatory but simply means if you gain someone’s personal data then it must be for a reason, you can’t just hold on to someone’s email address ‘just incase’ any longer. If you don’t have a reason for keeping it, get rid of it.
Once that purpose is fulfilled then it should be deleted
In simple, if you no longer need to keep someone’s details (i.e you’ve not worked with or spoken to that person in a year) then you have to delete the information. Even if someone has given you their business card and you never called them back but still have the business card – it was likely implied that you could keep their business card forever, but unless that person actually signed something to specify this then you need to get rid of it.
Users’ consent must be an active and affirmative action by person
This is a biggie – no longer can you just assume that someone was happy to opt-in to you keeping their details, from now on you must gain clear and concise permission to gain a users information and they have to have taken an affirmative action to give you permission. For example if someone contacts you via a ‘contact form’ on your website then you will need to have a checkbox which ensures they agree to your privacy policy before getting in touch. Also this tick box cannot be pre-checked, the user has to physically opt-in for it to be legally binding.
Controllers must keep proof of how and when an individual gave consent
No matter how someone has given you consent to keep their detail on file you now must keep a copy of this to ensure you have clear and concise traceability to the moment they consented. This is as much for the user’s benefit as it is your own.
An individual can withdraw their consent at any time
Again this one is pretty self-explanatory but in simple, if a user contacts you to say “I no longer want you to keep my details on file” then you legally have to delete every piece of data you have on that user. No questions asked.
So they are the core areas covered in GDPR and where you will likely need to make a few amendments to your policies and procedures going forward within your business.