The European General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018.
You’ve probably already heard the abbreviation GDPR floating around these last few months. This is not just another piece of legislation taking place – it’s crucial that businesses take action now. But first, it’s important to know how this affects the way businesses use and track personal data, and the steps that businesses need to take now in order to be prepared for these changes.
The GDPR is completely changing the way businesses can use personal data. The aim of the new regulation is to protect the individuals’ data and privacy. What exactly is meant by this? It affects the way businesses collect, store and use the information about individuals, and applies not only to a customer data but also your past or present employees and suppliers. It gives individuals more freedom to ‘control’ what businesses do with their personal information.
Who does the GDPR affect?
You may think the new regulation only applies to large organisations, but regardless of the size of business, GDPR is affecting every business that works with European citizens’ data.
However, the good news is that the GDPR treats small businesses differently to the big ones. The businesses with over 250 employees must employ a Data Protection Officer (DPO) – a person responsible for making sure that the business collects and secures personal data in a responsible way. If the business employs less than 250 people, there’s no need to employ a DPO. However, small businesses still need to be compliant with the changes happening on the 25th May 2018.
The GDPR does not only affect businesses located in the UK. The GDPR is about protecting the data of all European citizens, which means that a business in any part of the world that sells goods to or works with European citizens has to comply with the new European regulations.
What kind of data does the GDPR apply to?
Any personal information. This could be – a name, an email address, a photo, posts on social media platforms, bank details, medical information, computer IP addresses, even sensitive information such as sexual orientation, religious beliefs, etc. It also includes any piece of information that could be linked to an individual. For instance, a cookie on a website can be used to identify an individual visitor and is therefore classed as personal information.
What rights will individuals have?
Right to be informed
Under the GDPR, individuals have the right to be informed about their data being collected and used. Businesses must provide their customers with a privacy policy detailing what data is being collected, why this data is collected, how long will you keep the data for and if applicable, who will you share this data with. This privacy information must be provided to individuals at the time you collect their data. In the case of obtaining the data from other sources rather than from individuals directly, you must provide details to those being affected with the privacy information within a month.
Right of access
Individuals have the right to get confirmation of their data being used and can also request access to that data (companies have to provide this information free of charge and within a month of the request).
Right to rectification
Individuals have the right to have their data rectified if their data is not accurate. If an individual requests this, the company needs to deal with this request within a month (in some cases, if the request is more complex, the one month period may be extended to 2 months).
Right to erasure (also known as ‘right to be forgotten’)
Individuals have the right to ask for erasure of their data. This includes the right to opt out of cookies on your website if they have previously opted in.
Right to restrict processing
Individuals have the right to ask for a restriction of their data.
Right to data portability
Individuals can request that their data is moved from one service to another. If this is the case, you must provide a safe and secure transferal of their data.
Right to object
Individuals have the right to object to:
– processing based on legitimate interests in the public interest/exercise of official authority (including profiling)
– direct marketing
– processing for purposes of scientific/historical research
Rights in relation to automated decision making and profiling
You must give individuals the information about the processing and introduce a simple way for them to challenge a decision.
(ico.org.uk)
What steps do businesses need to take?
Audit your business
It’s important that you know everything about the information you hold and who it’s shared with. Probably the best way to do this is to organize an audit through your organization and document what data you hold, what you use them for, where the data came from and who you share this data with. And what about your privacy policy? Also, do you give people an option to opt out? This might take a while for you to do but it will give you a better understanding of what actions your business needs to take after the enforcement of the new regulation.
Update the privacy policy
You should already provide this information, however, this should be reviewed as GDPR brings new requirements of what needs to be included in your privacy policy. You will have to explain your lawful basis for processing the data, you will also have to let people know the retention period or let them know that they have a right to complain to the ICO if they think the way you handle their data is not correct.
Cookies
Don’t forget to include information about cookies on your website – including a list of cookies and what they do. You will almost certainly also have to make changes to how cookies are used on your website, have a clear opt-in policy and also implement a way for visitors to subsequently opt out of cookies in the future.
Opt-in/-out
You must give individuals an absolute freedom to opt out. You also have to give them an option to opt in.
Be concise
State exactly what information you store, the purpose of your business gathering their data, how will you store their data, what you will do with their data, how long will you keep their data for and who else will have access to it.
Create a data policy for your business
Individuals have a total control of how companies manipulate their data. You must prepare for situations like; how will we erase the data if requested? Or who will be responsible for doing so? Also, bear in mind the period for handling requests will change from 40 days to a month!
Data breaches
Situations like this are not ideal but they do happen. You should have the right procedures in place to detect, report and investigate the data breaches. You have to report the data breach to ICO if it is likely to result in putting individual’s rights and freedom at risk.