GDPR has now replaced the 1998 UK Data Protection Act, and it’s aim is to give people more control over how organisations use their data, and Pretty Vicious (see what we did there) penalties are being introduced for organisations that fail to comply and for those that suffer data breaches.
The EU's General Data Protection Regulation #GDPR will apply to any business that processes the personal data of EU citizens which means that it could also apply to companies based outside of the EU ensuring data protection law is consistent across the EU.
GDPR is the government’s effort to update data protection to fit the data rich times we live in now, simply because the internet and the cloud gave organisations room to invent numerous methods to use (and abuse) people's data. And you don’t need to look any further to see this, other than the ongoing Facebook/ Cambridge Analytica scandal, where we are now told at least 87 million Facebook profiles were improperly shared to influence the 2016 US election.
WHAT DOES THE GDPR MEAN FOR YOU?
“ The GDPR will automatically apply in all Eu member states from 25 May 2018, businesses who process extensive personal information, or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO) ”.
The GDPR will apply to any business that processes personal data of EU citizens, including those with fewer than 250 employees. Those with a DPO will make them responsible for ensuring the company complies with the obligations under the GDPR and be the contact for any data protection queries. Most small businesses will be exempt. However, if your company in involved in ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data) you must employ a DPO.
Serious breaches (that is, any breach which impacts on the rights of data subjects) must be reported within 24 hours where possible to the regulator (in the UK this is the Information Commissioner’s Office (ICO)).
HOW THE GDPR CHANGES YOUR ACCOUNTABILITY
Whether you’re a controller or processor both parties are required to make changes in order to comply with GDPR. For example, if you’re a small business offering a service and your customer database is managed using a contacts management app, hosted by a third party, this would generally make you the controller and the third party the processor. If on the other hand, you manage all of your data on a spreadsheet by yourself, you’re both the controller and processor. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents.”
It’s easy to see the GDPR as a burden. But in reality, it’s something that can be used to add value to your business so it worth your while getting GDPR organised so you can earn your customers’ trust, and be a company that respects personal data. To start you need to take into account all data you’re gathering, storing and using, including past and present employees, suppliers as well as customer data. So get to know your data, here’s 6 Pretty Vicious considerations you need to be thinking about:
1. What types of personal data do you hold? (For example name, address, email, bank details, photos, IP addresses) and/or sensitive (or special category) data (for example health details or religious views), where are you getting it from and how are you using the data?
2. If you work with any third-party suppliers who would count as processors, have you checked what their data protection policies are and whether they comply - if they don't, it might be time to change supplier.
3. Are you currently operating under an opt-in strategy? I.e relying on consent to process personal data. If you are (for example, as part of your marketing), these activities will become more difficult under the GDPR because the consent needs to be clear, specific and explicit. It's also worth looking out for technology that will help you meet requirements around data deletion and data portability.
4. Have you updated your security measures to be GDPR-compliant? Or do you currently have any? Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.
5. Under the GDPR, users have the right to request all of their personal data, rectify anything inaccurate and decline use of their data in certain circumstances, or ask you to completely erase all of their personal data that you may hold. Each request carries a timeframe and deadline of one month.
6. Are your employees trained on GDPR and do they understand what constitutes a personal data breach? You’ll need to build processes to spot red flags and ensure they are aware of the need to report any mistakes to the DPO or the person or team responsible for data protection compliance, as this is the most common cause of a data breach.
7. When GDPR comes into effect companies will not be able to hold on to personal data for longer than necessary, or process it for purposes that the individual isn’t aware of. Consent may not be required for pre-existing personal data, as long as you have a legal basis that’s compliant with the current legislation (the DPA).
Aside from the law, responsible data handling is a basic principle of good business. If your business is a one-man band, have you thought about how you’d explain a breach to your trusted customers? It’s easier to follow the GDPR and get compliant, Instead of spending time figuring out how you can avoid complying, Contact Pretty Vicious experts, especially if you’re working without legal guidance.
Until next time...