The GDPR (General Data Protection Regulation) is a set of guidelines coming into effect on the 25th of May 2018 that aims to protect EU citizens from privacy and data breaches. All organisations that process personal data, regardless of Brexit, will need to comply with these regulations or risk hefty fines.
This guide aims to cover some of the main points of what your organisation needs to know about the GDPR.
1. Get Consent
Firstly (and arguably most importantly), you need consent from your customers to store their data. This means that you need positive opt-in consent that cannot be assumed through silence or pre-ticket boxes. You need to make sure you have a clear process that allows people to give and withdraw consent (such as clear unsubscribe links in email newsletters).
2. Know Their Rights
The GDPR lists the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to object
- The right not to be subject to automated decision-making including profiling
3. Know Your Data
You and your teams need to be fully aware of what personal data you hold, how you use it, where it came from and who you share it with. The GDPR requires you to keep records of all these data gathering and processing activities, both online (on your website, apps, online tools) and within your internal business operations.
Some important questions include:
- Is your website secure? (Read our post on SSL/HTTPS)
- Is your organisation’s anti-virus software up-to-date?
- What database do you use? Is it secure?
- Do you have a system that allows you to input, store and use data securely?
- Are you requesting, storing and processing only minimal data; that which is necessary to fulfil the agreed purpose?
- Have you updated your Terms & Conditions, contractual small print and Cookies Policy?
4. Communicate Privacy Information
Under the GDPR, you’ll need to communicate information such as your data retention periods and that individuals have a right to complain if they think there is a problem with the way you’re handling their data. With this we recommend reviewing your current privacy policies to state what data you hold, what it is used for and inform the user’s rights to their information.
5. Access to Data Requests
In most cases you will not be able to charge for complying with a request from an individual to access the data you hold for them. You will have a month to comply, rather than the current 40 days, but you can refuse or charge for requests that are manifestly unfounded or excessive. If you do refuse a request, you will need to inform the individual why and that they have the right to complain. This must be done within 30 days.
6. Data Breaches
The GDPR introduces a duty on all organisations to report of data breaches to the ICO when it is likely to result in a risk to the rights and freedoms of individuals. You should have procedures in place to effectively detect, report and investigate them.
7. Data Protection Officers (DPO)
You must assign a member of your team as a DPO if you are:
- An organisation that carries out the regular and systematic monitoring of individuals on a large scale
- A public authority (except for courts acting in their judicial capacity)
- An organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
If you fall into one of the above categories, it is important that someone in your organisation, or an external data protection advisor, is able to take responsibility for your data protection compliance and has the knowledge, support and authority to carry this out effectively.
The Viron Media team is committed to helping its clients succeed, so please feel free to get in touch with any questions or concerns.