Most of us running our own businesses have now heard of GDPR and we have been working towards ensuring that we are compliant with the new rules that will take effect on 25th May.
Maybe you have taken action to ensure that you comply or maybe you don’t know what all the fuss is about, either way I have created this post to help you understand what you need to do.
What is GDPR?
GDPR stands for General Data Protection Regulation, Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, upon which current UK law is based.
It includes new rights for people to access the information companies hold about them, obligations for organisations to protect and manage this information, and a new regime of fines for organisations who are not compliant with the new rules.
Does GDPR apply to my organisation?
If your organisation collects and stores any personal data about anyone then you need to comply with the new regulations.
This personal data includes, but is not limited to:
- Email address
- Postal address
- IP address
- Date of birth
You are collecting and storing personal data by:
- Having a contact form on your website
- Having comments on your blog
- Using booking software such as EventBrite
- Using messenger apps such as Facebook messenger, Slack
- Running a poll or quiz
- Receiving reviews/ testimonials from your customers
- Running an e-commerce website
- Having a sign up form on your website that links to a 3rd party service like MailChimp
- Having Google Analytics installed on your website
- Running events where you keep a record of attendees
- Having an email list
- Storing contacts on your phone
- Storing information about people in a spreadsheet, document, database or on paper
What rights do individuals have under the new regulations?
As explained by the ICO, individuals or data subjects have the following rights concerning their personal data.
- Data portability – Business must ensure that individuals can have easy access to their personal data in case they want to transfer their data to other systems.
- Strengthening subject access rights – Individuals can now request access to their data for no cost and it must be responded to within 30 days (this is a change from the current legislation which requires a £10 fee and there is 40 days to respond).
- Right to be forgotten – Individuals can request that an organisation delete all the information they hold on them (although this would not apply if there was a valid reason to hold that data).
- Right to object to processing – Individuals have the right to object to the way an organisation is processing their data.
- Right to restrict processing – Individuals have the right to request that the processing of personal data is temporarily stopped. This may be invoked whilst a right to object request is being investigated.
What do you need to do in order to comply?
1. Audit your personal data
Find out what personal data you are collecting and where you are storing it within your organisation.
You should also check that you have at least one legal basis to keep this data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
2. Delete any data you don’t need
If there’s any personal data you no longer need or which you don’t have a legal basis to keep, then delete it.
3. Document everything
You need to include:
- What personal data you are collecting
- How you collect that data
- How you use that data
- Who you share it with
- How you keep it secure
- How long you keep it for
- How individuals can access their data and update or delete it
4. Inform your audience and customers
What about existing email lists?
Individuals must give clear consent to receive marketing information from you. This means that you must not have pre-ticked opt-in forms and you must not manually add individuals to your mailing list without their permission. Mail Chimp have created GDPR fields to obtain consent for marketing permissions: https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
Third Party Processing
Check privacy policies and/or supplier agreements of any third parties you use. Find out what their plans to comply with the GDPR are. If you don’t get satisfactory answers, look for alternative suppliers.
What about cookies?
Cookies are covered under the ePrivacy regulation, separate from GDPR. Its implementation date was supposed to coincide with GDPR, but it will likely be delayed as it’s still in draft.
The ePrivacy regulation distinguishes between first-party cookies, served by your domain, and third-party cookies e.g. from Google Analytics and some social sharing plugins.
It may be that browser settings will be used as a form of user consent for third-party cookies, but this is something we’ll have to keep an eye on.
I am not a lawyer, and nothing in this article constitutes legal advice and you can not hold me responsible for anything that happens as a result of any action that you take, or do not take, as a result of the information I have given. Implementing GDPR for your organisation is your responsibility. Please seek professional help if you need it.