8 Things Businesses Need to Know About the New GDPR Legislation
8 Things Businesses Need to Know About the New GDPR Legislation
On the 25th of May 2018, the new General Data Protection Regulation (GDPR) is coming into force, replacing the current and out-dated Data Protection Act. This new legislation introduces tougher fines for non-compliance and gives individuals more say over what companies can do with their personal information.
If you have a business operating within the EU, or selling to customers within the EU, then this new legislation applies to you.
Here are eight things you should be aware of:
1. “Personal Data” now covers a much broader range of information, including photos, bank details, social media names, medical information, email addresses, and dates of birth, for example. The legislation is only applicable to an individual’s information, not the information of a business or company.
2. You need to keep records of all data that is processed by your business, along with the purpose for processing it, and it should only be kept for a legitimate purpose before being destroyed. Processing of personal data is permissible when: consent is given by the individual to process their data (which should be recorded), a contract requires data processing (in the case of employees, for example), there is a legal obligation, a vital interest or public interest, or a legitimate interest – such as personal information collected for the purposes of marketing.
3. When collecting personal details for a marketing email list, it used to be acceptable to have a pre-ticked box that individuals would have to remove the tick from in order to opt-out. That is no longer acceptable. Individuals must opt-in instead, and there should be a double opt-in process. This means individuals will have to tick a box to opt-in to marketing communications, and receive a confirmation email.
4. If you determine the purpose for which personal data is collected, and the manner in which it will be processed, you are referred to as the “Data Controller”. A “Data Processor” is any other person or organisation, other than an employee of the Data Controller, who processes data on their behalf. An example of this could be if you outsource your payroll or HR functions.
You should ensure you have a suitable and sufficient contract in place with any Data Processors you use, to ensure that any personal data you provide is kept secure from unauthorised access, loss, or destruction.
5. Individuals whose personal data you have collected have the “right to be forgotten”. If they request for their data to be completely erased, you must comply with this request, and inform any other organisations who hold the data, such as a data processor, to delete it also. There may be certain exemptions where there is a legitimate interest in keeping certain records, such as employee information, which is usually held for at least 40 years.
6. Individuals for whom you have personal data can request access to the information you hold on them. You are no longer able to charge an administration fee for complying with their request, and you now have just 40 days to complete the request and disclose the information. Information requests are very generic, and you are expected to provide all information that relates to the individual. If the individual is looking for a specific piece of information, you can reduce the amount of time and expense in complying with this request by asking if there is a specific piece of information they require, and providing just that information.
7. If you suffer a data breach, you must notify the Information Commissioner’s Office within 72 hours. Anyone affected, or potentially affected, by the breach must also be notified.
8. Not complying with these new regulations could result in a significant penalty. If a breach is not reported within 72 hours, there is a risk of being fined up to £10million, or 2% of your global turnover, whichever is greater.
For more information on the new GDPR legislation, download the official ICO 12 step guide.