Are you GDPR Compliant?
What is GDPR?
May 25th 2018 - the date the EU General Data Protection Regulation comes into force. The GDPR replaces the current Data Protection Act 1998 and will impact all businesses that hold or process personal data of EU citizens. Broadly speaking, data protection is the category of law that deals with how our personal data is collected, controlled, stored or shared. The current legislation is outdated, technology has involved immensely in the last 20 years and the GDPR has been created to bring data protection legislation in line with current technology.
Non-compliance is not an option, the fines for breaching are huge! Not only the fines but breaking the law would not do well for business it could damage your repetition and break down client relationships.
But what does it even mean?
As mentioned above the GDPR builds upon existing laws rather than completely new ones. The good news is that you should be doing most of it already under the DPA.
The principles are as follows:
Lawfulness -Data should only be processed when there is a lawful basis (consent, contract or legal obligation)
Fairness - You should provide the individuals with the details around how their data will be used and how they can exercise their rights
Transparency -GDPR requires the info to be provided in concise, easy to understand, clear language.
Purpose Limitation –Only collect data for specific and legitimate purposes
Data Minimisation - Only collect data which is relevant and limited to what is necessary to the purposes you are collecting it for
Accuracy – Data should be accurate and kept up to date
Storage Limitation – Data should not be held for any longer than necessary
Security -Data should only be processed in a manner that ensures security and protection against unlawful processing
Accountability -It is your responsibility to demonstrate compliance
How to get consent under GDPR?
Businesses in the UK have always been able to rely on implied consent. That is consent inferred from silence, pre-ticked boxes or even inactivity.
Under the GDPR, not only must consent be unambiguous and obtained through a clear and affirmative action but GDPR also requires businesses to show how they comply, keep a record and provide proof that consent has been given by the individual to hold and process their data. The individual must also be clearly informed on how to withdraw their consent at any time whenever they want to. These individuals must be made aware of this right prior to any consent they give and also on a continuing basis.
What is personal data?
All the obvious things like name, address, contact information, religious beliefs and sexuality will still be classed as personal data under the GDPR. However, the GDPR has expanded this definition to include IP addresses and economic, cultural or mental health information. Any data which is personally identifiable will be considered as personal data.
What about Terms & Conditions and Data Protection Policies?
By acting now, you can ensure your terms and conditions and policies are adequate for the coming enforcement of the GDPR.
Do you have employees? Suppliers? Sub-contractors? These all have access to the personal data you collect and are responsible for. By having a clear GDPR policy within your business you have a great start in becoming compliant and should there ever be a breach you can show you have taken all reasonable steps to being compliant to the ICO.
Your terms and conditions may need updating. For example you can no longer hide the terms and conditions for consent, they must always be separate from your standard terms and you cannot make them too complicated so people won’t bother to read them. Put simply their consent must be a genuine choice, and cannot be a standard condition of service.
When collating personal data from your own website it can be slightly more straightforward than by other means. Consent can be provided by an ‘opt in’ tick box which is clear and unambiguous, (remember pre ticked boxes are a no no) and the proof is all recorded. When personal data has been collected elsewhere, consent forms are the most compliant way to stay in line with the GDPR. This way, businesses can make sure consent is specific, clear, prominent, opted-in, properly documented and easily withdrawn.
It is important that any business that holds or uses personal data should not ignore the GDPR however there really isn’t any need to panic either.
BEB can assist with re-writing your terms and conditions and policies, helping you with implementing any new policies and answering any questions you may have. Call us today on 01604 217365.
Extra guidance is also available here https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ from the Information Commissioner’s Office.