By Matt Puddephat
This blog is a quick guide to GDPR and the key questions you should be asking your data controllers or processors. It is intended to help get conversations started in your business if they haven't begun already. If you have any questions about GDPR, contact WebRelief to see how we can help.
What is GDPR?
The General Data Protection Regulation (GDPR) comes in to effect in May 2018 so what is it and what does it mean to your business?
It is a new EU regulation which helps to strengthen data protection for citizens in the EU and the rest of the world. Perhaps unsurprisingly, the GDPR is a massive document but in simplistic terms, it looks at three key areas:
1. How you manage your customer data
2. How you manage consent for using that customer's data
3. Ensuring your data management processes are compliant and transparent
GDPR, your key questions answered:
Do UK businesses need to worry when the UK is leaving the EU?
If you are a UK business that has customers based in the EU then yes, you are affected by the new legislation. If you are a business which only has customers based in the UK, then the situation post Brexit is far less clear, however, the UK Government has indicated it will implement an equivalent or alternative legal mechanism which is expected to largely follow GDPR.
What happens if I don't comply?
There is a tiered approach to fines depending on the level of breach but organisations can be fined up to 4% of annual global turnover or 20M Euros.
What constitutes personal data?
Personal data constitutes any information relating to a natural person or 'Data Subject', that can be used to directly or indirectly identify that individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What levels of consent do I need from my customers?
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of "opt in" will suffice. However, for non-sensitive data, "unambiguous" consent will suffice.
10 key questions to ask your data controller in order to understand how and where you need to comply with GDPR:
1. What customer data are you collecting at the moment?
2. How are you using that customer data?
3. Where do you store that data?
4. Are you using any 3rd party systems to store the data? Are those systems complying with the GDPR regulations?
5. How long are you holding on to customer data for? Do you have customer data you don't need?
6. Are you using customer data for marketing communications activity?
7. Do you ask customers to opt-in to your marketing communications at the moment? If you do, are you following existing DPA guidelines? If, yes, then you probably don't need to retrospectively update existing consents to comply with new legislation. If not, then you may need to "re-subscribe" them
8. Where do you collect customer data from? Are you considering all these touch points as part of your response to the GDPR?
9. What processes do you have in place to allow people to opt-out or have their personal data destroyed?
10. What processes do you have in place to identify or protect against data breaches?
Your Privacy Policy
A big part of GDPR is communicating to your users how and why you're collecting and using their data, updating your privacy policy and making it easily available to customers will help greatly with this.
