GDPR (General DATA Protection Regulation) comes into force on 25th May 2018. It requires:
- enhanced personal privacy, meaning more rights for your customers and visitors.
- more defined processes dealing with personal data.
- more transparency in why and how you use personal data.
- greater staff awareness of the new regulations.
- awareness of the greater financial penalties which can be imposed for breaches.
How does it affect you?
If your organisation collects or stores any personal data from people in the EU, you need to comply with GDPR. This includes email addresses, names, contact details, addresses; both electronically AND on paper. If you don’t comply, there are stiff financial penalties.
However, demonstrating compliance shows that you are a trustworthy organisation that respects users' privacy and personal information.
Steps to compliance1: Information Audit
Take an inventory of the personal information you hold already, how and where it is stored, what processes you have for data protection. Everyone in the organisation is responsible for data protection.
A GDPR information audit needs to include personally identifiable information not a full scale audit of all documents and information held.
Personally identifiable information is information that relates to a living individual, for example: a name and a school, a name and address, or a name and date of birth.
All types of personal information that is collected and stored falls under GDPR, regardless of the original purpose. All of it needs to be inventoried; we recommend using a template for the Information Audit. You can then consider the 5Ws:
- why is personal data processed?
- whose personal data is processed?
- what personal data is processed?
- when is personal data processed?
- where is personal data processed?
2: Validate and simplify
- do you need all of the information you collect?
- do you duplicate and store information in multiple places?
- how long is it retainedt?
- is it current and up-to-date?
- do you have secure password protection in place? All documents and 'databases' (which included lists in spreadsheets, documents and other systems such as accounting, billing, invoicing) which hold personal data must be secured.
- is personal data transmitted or shared via secured channels?
- how is shared access controlled?
- ensure that the passwords are stored in separate locations.
You are obligated to let your customers know why you are collecting their data, what you do with it, and, most importantly under GDPR, gain their consent to collect and use it; also inform them how to withdraw consent so it can be deleted.
Procedures are required for gaining consent, recording consent, updating consent and deleting personal datathat is no longer to be used.
The new GDPR is very specific on the principles of explicit consent in the form of explicit opt-in. Assumed consent and default opt-ins are no longer acceptable. This means re-designing paper and online forms to request consent by purpose and channel/medium.
Following posts will look at the potential minefield of managing consent under GDPR. RC