The General Data Protection Regulation (GDPR) becomes law next month, requiring businesses to be more accountable when handling personal information. We unravel its mysteries – and outline what you can do now
When GDPR comes into effect on 25 May, it will change the way companies can collect, store and use personal information.
Building on the existing Data Protection Act 1998, it aims to give people more control over the data organisations hold about them.
It’s being launched because many companies were using personal data however they wanted. For example, some sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to protect data against hackers.
GDPR now gives back control of personal data to the people who own it and requires organisations to make data protection key to how they do things.
It’s likely to affect big organisations first, but small businesses aren’t exempt, so it’s important to know your responsibilities and ensure you’re compliant when it comes into force.
What is ‘personal data’?
This includes customers, employees, suppliers and any other individual you collect personal data from. It includes names, contacts, medical information or credit card details, plus digital data like website cookies and IP addresses.
How you collect data
You can only collect personal data if you have a legal reason to do so. So you might need it for a sales contract or a customer may ask you to send them information on a product or service. You must make it clear what the data will be used for and only use it for that purpose.
You don’t always need formal consent if there’s another legal way of gathering, retaining and processing information. But while getting someone’s consent might sound like the simplest way to stay compliant, there are so many conditions to achieving it you could
still be in breach, even though you think you have permission. So it’s always best to seek advice before you start.
Contracts and terms and conditions
These need to be clear and easy to understand, with no complex legal text.
Right to know
When individuals ask a business what information is being held about them, organisations must now respond within one month and can’t charge a fee.
Right to erasure
Customers can ask a company to delete all stored personal data about them, unless the company needs to keep it
for legal reasons, e.g. tax.
Individuals can request a digital copy of their data to use however they wish, e.g. switching to a new service provider.
Data security – and breaches
Any data held must be securely stored – including hard records. Most breaches must be reported within 72 hours to the relevant supervisory authority, with individual data subjects also informed.
If you don’t keep personal data secure or use it for different reasons to what it was collected for, you can be hit with severe financial penalties. ‘Lesser’ incidents carry a maximum fine of £10 million or 2 per cent of an organisation’s global turnover, whichever is greater; with serious breaches resulting in fines of up to £20 million or 4 per cent of turnover.
GDPR and Brexit
The UK government will incorporate GDPR into UK law before Brexit, so leaving the EU won’t make any difference to your obligation to comply.
There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – which means treating it as you would something valuable of your own.
If you have a GDPR query. Email Nicola Jengaenga on firstname.lastname@example.org or call her on 0131 445 9225. The Information Commissioner’s Office – ico.org.uk – and the Federation of Small Businesses – www.fsb.org.uk – can also offer advice.
Products and services
Check which products or services collect and process personal data
Ensure you have a legal basis for the processing of personal data
Ensure you can comply with the obligations to your customers as set out in the GDPR, such as the right of access and the right of erasure
Notices and contracts
Make someone in your organisation responsible for all data protection and privacy issues
Consider whether you need to appoint a Data Protection Officer – check out the ICO’s guidance for more info
Give data protection training to staff