GDPR…. It’s a bit like marmite
No doubt your e-mails have been bombarded with requests from companies “to keep in touch”, and myself like most people find that it’s getting rather tedious and frustrating, however for those that are not aware this is all part of the new General Data Protection Regulation (GDPR) that comes into force on 25th May 2018.
A lot more businesses fall under these regulations, and there is a lot more involved than sending out re-consent to your mailing list. Whilst I am not a solicitor that specialises in GDPR, and do not advise on it, this post is designed to give answers to a few key points that business owners need to be aware of.
Further information and advice can be found on the Information Commissioners Office (‘ICO’) website:
What is GDPR?
GDPR is an overhaul of the existing data protection legislation which is now just under 20 years old. Data held, how we store it and use it has developed significantly in this time. Therefore this update is more than overdue.
There is a lot more compliance with GDPR than there is with the data protection act. Businesses need to be more transparent with what they are doing with the data they hold. Customers can now complain, report businesses to the ICO and claim for compensation. Customers also have more rights regarding accessing the data that a business holds on them.
Who needs to register for GDPR?
Any business that holds or processes personal data needs to register for GDPR. The definition of personal data casts a much wider net than previously. Holding and using an e-mail address is storing personal data, cookies on your website could be classified as storing and processing personal data. What is the updated legislation?
If a business falls under GDPR then you need to read the full legislation on the information commissioners website, but in short:
Customers need to be told that you are collecting personal data, what is being collected, what you are doing with it and for what purpose
Data can only be used for the purpose that it is being collected for
Businesses can only hold the data that is needs
Data needs to be kept accurate and up to date
Data can only be kept for as long as it is necessary for the purpose it was collected
Data must be kept secure against unauthorised or unlawful processing
What do I need to do?
Businesses need to make sure that they are compliant or on the road to being compliant on 25th May. If your business falls under GDPR read the guidance on the information commissioners website, and seek professional advice where necessary.
Not only do you have to be compliant, documentation, systems and processes all need to be established and put in place.
To get an idea of what is involved this is what we have been doing / are in the process of doing:
A full audit and documentation of all the personal data that is held, including an assessment of:
What is being held
Why it is being held
What is it used for
How long it needs to be held for
Where it is held
Where it is held in the cloud is it secure and compliant with GDPR
Review of IT system and cyber security
Review of suppliers and ensuring that they are GDPR compliant
Where data is stored in the cloud identifying where it is located and if it has been transferred outside the EU
Updates to terms of business and engagement letters
In summary whilst GDPR is another compliance headache for small businesses and we are being bombarded with e-mails ‘to keep in touch’, in theory we should end up only receiving the e-mails we have consented to receive, and our data should be documented and more safely stored…. Watch this space!!