GDPR: How will you be affected?
What is it?
The general data protection regulation, or GDPR, is a new EU law that will replace the current Data Protection Act and strengthen existing data protection legislation.
It aims to give more protection to individuals whose data is being used by businesses and charities, and to encourage more trust in online services from the point of view of consumers – or, ‘data protection and privacy for the digital age’.
Access to user data is a key consideration – users can request at any time to find out what data of theirs an organisation holds and how it is used.
GDPR includes these rights for individuals: ‘to be informed, the right of access. To rectification, to erasure, to restrict processing, to data portability, to object, and the right not to be subject to automated decision-making’. GDPR deals with something called a ‘right to be forgotten’ where people can request that their personal data is removed.
Who will it affect?
Any organisation that processes and individual’s personal data will be affected.
All businesses and charities will have to comply, as GDPR will become part of UK law following Brexit. Otherwise, if not compliant, they could be hit with fines of up to £17m or 4% of their turnover.
Organisations don’t need consent for all kinds of direct marketing, such as via post or calling. Charities can still contact people based on ‘legitimate interest’ – which means their interest in furthering the cause of the charity.
GDPR will come into effect on Friday 25th May 2018.
What steps need to be taken?
The first, and perhaps most important step, is to build awareness within your organisation about GDPR and its impact. Some organisations might want to appoint an Internal Data Protection Officer who will be responsible for the internal data audit and data compliance.
It’s a good idea to carry out an audit of what information your organisation holds, where it came from and who you share it with. In the same vein, make sure to maintain records of data processing activity so you can be held accountable if necessary.
Organisations that are already compliant with the existing Data Protection Act won’t have too much to do – most of their current approach should remain valid.
Businesses are required to show how they comply with data protection principles. Check your privacy notices – those whose data is held by an organisation are entitled to a privacy notice explaining how the information is being processed and used.
You need to clearly explain why you’re collecting personal data and how it will be used. You need explicit consent if you intend data to be available to third-party providers like Google Analytics or telemarketing companies.
Consent needs to be freely given via an informed and clear indication such as ticking a box. Implied consent, for example, inactivity or a pre-ticked box, will not be clear enough permission under GDPR. Be prepared for how to deal with customer requests such as ‘I want to find out what information you hold on me’ and ‘remove all information about me’.
Granular consent, where data is personalised through data processing, involves agreeing to each contact method separately, i.e. different tick boxes for email, text and post.
Be aware also that the amount an organisation can be fined by the Information Commissioner’s Office (ICO) has been increased, and the organisation has a duty to report certain data breaches if they take place. It is useful to have procedures in place to detect, report and investigate any personal data breaches.
Businesses should also consider their partnership working arrangements with other organisations, especially where these depend on data sharing.
Overall: the key principles around GDPR that you need to be aware of are transparency and accountability. Organisations should record what they’ve done to mitigate risks in processing activities. The damage can occur, not just in instances of data breaches, but in doing nothing. Responsible behaviour would be acknowledged by the ICO when looking at culpability for data breaches.
Opportunities: to build deeper relationships and establish more understanding with customers, clients, supporters and employees. GDPR brings to the fore the chance to put the rights, freedoms and interests of customers first and build better data-handling processes and accountability.