The GDPR (General Data Protection Regulation) is a set of guidelines coming into effect on the 25th of May 2018 that aims to protect EU citizens from privacy and data breaches. All organisations that process personal data, regardless of Brexit, will need to comply with these regulations or risk hefty fines.
This guide aims to cover some of the main points of what your organisation needs to know about the GDPR.
Firstly (and arguably most importantly), you need consent from your customers to store their data. This means that you need positive opt-in consent that cannot be assumed through silence or pre-ticket boxes. You need to make sure you have a clear process that allows people to give and withdraw consent (such as clear unsubscribe links in email newsletters).
The GDPR lists the following rights for individuals:
You and your teams need to be fully aware of what personal data you hold, how you use it, where it came from and who you share it with. The GDPR requires you to keep records of all these data gathering and processing activities, both online (on your website, apps, online tools) and within your internal business operations.
Some important questions include:
Under the GDPR, you'll need to communicate information such as your data retention periods and that individuals have a right to complain if they think there is a problem with the way you're handling their data. With this we recommend reviewing your current privacy policies to state what data you hold, what it is used for and inform the user's rights to their information.
In most cases you will not be able to charge for complying with a request from an individual to access the data you hold for them. You will have a month to comply, rather than the current 40 days, but you can refuse or charge for requests that are manifestly unfounded or excessive. If you do refuse a request, you will need to inform the individual why and that they have the right to complain. This must be done within 30 days.
The GDPR introduces a duty on all organisations to report of data breaches to the ICO when it is likely to result in a risk to the rights and freedoms of individuals. You should have procedures in place to effectively detect, report and investigate them.
You must assign a member of your team as a DPO if you are:
If you fall into one of the above categories, it is important that someone in your organisation, or an external data protection advisor, is able to take responsibility for your data protection compliance and has the knowledge, support and authority to carry this out effectively.
The Viron Media team is committed to helping its clients succeed, so please feel free to get in touch with any questions or concerns.