New Data Protection Regulations (GDPR) – a practical overview
I see and hear comments daily from businesses large and small of genuine surprise that there are fairly significant changes coming into force that will impact them.
In reality this key piece of EU law was passed back in 2016 and they have allowed businesses until 25 May 2018 to get ready. That said the Information Commissioner's Office (ICO) have only published an overview. The finite detail is still being worked on. But irrespective of the lack of detail, common sense can be applied to start getting your house in order.
Who does it affect?
That’s the reality.
There is not one business who doesn’t hold some form of information about others. Whether it’s a customer, a supplier or an employee, you will have some sort of data.
The obvious things are email details, addresses, phone numbers but it will also include IP addresses, employee numbers …...basically anything that can is used to identify an individual.
Every business will be different, so every business will need to review what they have.
Data Protection (DP) isn’t new. As business owners and managers, you should already be aware of DP, and you should already have processes in place to protect people.
But the reality is that many businesses don’t. And that is why this key change is having such an impact now. There is great rushing around to see what is needed, and some are raking it in on the cash cow that invariably comes with something new that everyone is responsible for.
Don’t forget you are also a person – so before arguing that the law is ridiculous, stop and think how you would feel as if your personal information was shared. How do you feel when you get numerous calls offering to sort out your PPI? Most hate it. So why as a business owner would you let it go on in your own Company.
What will I happen if I don’t do anything?
Potentially there are fines, and they are not small. Up to 4% of your global turnover or £20 million whichever is the highest. Most of us don’t have that sort of turnover but suffice it to say there is an impact.
The ICO don’t particularly want to fine people, that solves nothing. What they want to ensure is that personal information is secure, and not shared willy-nilly around. They want to stop some of the harrowing tales of constant harassing calls asking for money, people being on lists for goods that they don’t want or need, to stop people’s data being published “out there” when it is personal and not needed. The legislation is there to protect all.
In 2015, Olivia Cooke, a Poppy Seller aged 92 received hundreds of letters asking for donations. She parted with a lot of money and in the end committed suicide.
Many of us have common sense, but some do not and those prey on the vulnerable in such a way that is quite frankly wrong.
What do I need to do?
There are 12 steps you need to take. These are all listed on the ICO website in a document “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now.”
Essentially you should do an audit. Review and challenge the information that you hold. Why do you have it? how long do you hold it for? is it necessary? Some things have to be retained for statutory purposes, that’s ok, just ensure you are consistent.
Make sure that everyone knows your Policy; and if people work for you are trained on the legislation and how to respond to questions. So, create a Policy, which will need to be published on a website and available to anyone who ask.
Make sure you understand individual’s rights – there are 8 to consider.
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to data portability
6. The right to object
7. The right not to be subject to automated decision making including profiling.
If you hold lists, such as customers information then you MUST contact them all and ask them for their express consent. If you don’t hear back, then you MUST delete their information.
This is big for those of you that rely on lists and I am aware of people with tens of thousands of names. Yes, you have to contact them all.
Gone is the ability to pre-populate a tick box. People must fully understand what their information is being held for.
Employers need to make sure that employees are aware of data held. Look, they can’t ask you to delete everything, some things have to be held for legal purposes, just make sure that you do genuinely need what you have. Just because, is not an acceptable reason. Make sure that your systems are all checked and secure, and that passwords set and reset on a regular basis individually. Cyber security and awareness of the possibility of hacking is critical these days. As the business owner it is YOUR responsibility personally for this. Will it cost you anything? Time to do some housekeeping, and to review the impacts for your business. The bigger or more complex your business, you may need to get some expertise in to ensure that you comply. There is a lot of scaremongering out there…..but it could cost you a lot if you don’t act now!