GDPR made easy

The new General Data Protection Regulation (GDPR) is now in force. Here, we outline the practical ways SELECT can help – and give examples of how it might affect your everyday business…

By Nicola Jengaenga, Employment Affairs Advisor, SELECT

What data do you hold?

The most important thing is to find out what personal data your business actually gathers, processes, and retains. Use the SELECT GDPR Data Check template to work out what data you deal with in your business and for what reason.

How do you communicate about privacy?

Use the SELECT GDPR Privacy Notice template to set out what data you deal with and for what purposes. Post or email to current and potential customers, and put it on your website to show how you deal with data.

How do you respond to data requests?

Use the SELECT GDPR Subject Access Request Spreadsheet template to keep track of subject access requests (SARs) received and progress in fulfilling them within the deadline. You must action any request within 30 days, and there should be no cost for individuals. Providing this data might involve printing one line of a spreadsheet, or a record from a database.

What about consent?

Use the SELECT GDPR Consent Wording template to obtain specific consent for data that you have no other lawful reason to hold. If you’d like to hold data for which you have no legal basis, you’ll need to request specific consent.

And data breaches?

Use the SELECT GDPR Data Breach Record Spreadsheet template to record and track any breaches. You’ll need to inform the Information Commissioner’s Office (ICO) if you detect a breach of personal data, or if you find that data is lost or stolen.

Data protection by design and impact assessments

Use the SELECT GDPR Data Impact Assessment template when you plan to process data using a new system or use an existing system in a new way to assess potential risk to personal data and mitigate it where possible.

Awareness

Use the SELECT GDPR Training PowerPoint template to inform staff about the meaning and impact of the regulations.

Data Protection Policy

Use the SELECT GDPR Data Protection Policy template to create your GDPR-ready data policy – and ensure you follow it.

1 The right to be informed

Data Subjects have the right to be informed about the collection and use of their personal data, including:

  • What data is collected

  • Where the data comes from

  • What the legal bases for processing this data are

  • What the data is used for

  • How it is stored

  • For how long it is stored

  • Who has access to it

  • Who the data is shared with

  • How the transfer of this data (digitally or physically) is carried out

  • Who is responsible for the safekeeping of data.

What does compliance look like in action?

Buzz Electrical produces a GDPR compliant Privacy Statement and publishes it on its website/social media pages, and also provides it on paper or pixel to all current and future customers.

2 The right of access

  • Data Subjects have the right to access their personal data and supplementary information through a Subject Access Request (SAR).

What does compliance look like in action?

Employee Geoff Beeswax wants to know what information F Benjamin Electrician holds about him. He contacts F Benjamin Electrician by email to make a Subject Access Request. F Benjamin notes this request on the SAR Tracker Spreadsheet, or makes a note in a physical journal created for this purpose, and then commits to providing all information held about Geoff within 30 days.

3 The right to rectification

  • The GDPR includes a right for Data Subjects to have inaccurate personal data rectified, or completed if it is incomplete.

  • A Data Subject can make a request for rectification verbally or in writing.

  • An organisation must respond to your request within 30 days.

What does compliance look like in action?

Mrs Erica Volta emails Cleat & Sons to ask that her details are corrected in their database, as she keeps receiving post wrongly addressed to a non-existent Mr Eric Volta. Paul Cleat makes a note of this request on Mrs Volta’s file, and actions this request within 30 days.

4 The right to erasure

  • The GDPR introduces a right for Data Subjects to have Personal Data erased.

  • The right to erasure is also known as ‘the right to be forgotten’.

  • Data Subjects can make a request for erasure verbally or in writing.

  • An organisation must respond to your request within 30 days.

  • The right is not absolute and only applies in certain circumstances.

What does compliance look like in action?

Customer Javid Thales decided that he no longer wishes to have anything to do with BrightSpark Electrical, from whom he had previously bought electrical work. He writes to BrightSpark Electrical, and requests that all of his personal details are erased. The request is actioned within 30 days.

5 The right to restrict processing

  • When processing is restricted, organisations are permitted to store the personal data, but not use it.

  • A Data Subject can make a request for restriction verbally or in writing.

  • An organisation must respond to your request within 30 days.

What does compliance look like in action?

Customer Iain Galvani previously submitted a testimonial to the website of Kirchhoff Electrical, but now wants to have his name removed from the testimonial, and for it to appear as anonymous instead. Iain speaks to a member of Kirchhoff Electrical staff to request this. The request is noted on Mr Galvani’s file, and Kirchhoff Electrical actions this request within 30 days.

6 The right to data portability

  • The right to data portability allows Data Subjects to obtain and reuse their personal data for their own purposes across different services.

  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

  • It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

What does compliance look like in action?

Employee Parveet Shok is currently serving her notice, and would like a digital record of all the training courses and in-house training which she has completed while working at Iron Electrics. Boss Toni at Iron Electrics receives the request in person, makes a note of it on Parveet’s file, and downloads the appropriate data onto a memory stick for Parveet.

7 The right to object

Data Subjects have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority. This can include profiling

  • Direct marketing, including profiling

  • Processing for purposes of scientific/historical research and statistics.

What does compliance look like in action?

Employee Gillian Blue requests that data should not be used for Gender Pay Gap reporting. She makes this request, but as you are a large employer of more than 250 people, you are required by law to use all current employee data to inform your report. You note Gillian’s request on her file, but inform her in writing of your legal obligation in this matter, and continue to use her data.

8 Rights in relation to automated decision making and profiling

The GDPR has provisions on:

  • Automated individual decision-making (making a decision solely by automated means without any human involvement)

  • Profiling (automated processing of personal data to evaluate certain things about a Data Subject). Profiling can be part of an automated decision-making process.

  • If your business does engage in automated decision-making or profiling, please seek further legal advice on how to comply with the GDPR in this regard.

Bonus Round: Data breaches

If you experience a data breach which puts the personal data of your Data Subjects at risk, you must record it and inform the ICO. Ensure this is done within 72 hours of the breach being discovered.

What does compliance look like in action?

Wire & Co Electricians intended to send out a communication to all of their landlord customers, informing them that their landlord inspections were due. Instead of using the ‘bcc’ recipient line in Outlook (meaning that each recipient would think the message had only been sent to them), Jim Wire puts all of the email addresses in the ‘To’ recipient line, so that every recipient accidentally gets to see the full email address of every other recipient.

This is a breach of data protection under the GDPR as each customer’s email address was never meant to be given out to anyone outside of Wire & Co Electricians.

Jim Wire should now record this breach on the Data Breach Record Spreadsheet, and contact the ICO to let them know what has happened. Jim will then take advice about next steps from there.

Find out more and download the templates over on the Select website.

Featured Posts
Recent Posts

© 2016 by CABLEtalk Magazine

 CABLEtalk magazine, Studio 2001, Mile End Mill, 12 Seedhill Road Paisley PA1 1JS