GDPR - Update

S.A. Blog Posts (32).png

Unless you’ve had your head well and truly buried in the sand you can’t have escaped the fact that GDPR (General Data Protection Regulation) is nearly here and will be here from 25 May 2018.

Let’s firstly note – I am not a legal expert – I’ve read lots (& lots and then some more) on GDPR and have applied this to my business together with some very extensive guidance from the ICAEW, my professional body.  This blog is sharing the key information that I have learnt in the process, but for the full low down please refer to the ICO website and if your business is complex then seen qualified legal advice.

So let’s dispel some myths:

  1. Brexit means that GDPR won’t happen .. It is here to stay, it will be replacing the the Data Protection Act, so hoping it isn’t going to happen won’t help.

  2. It doesn’t apply to small businesses – sorry, it applies to ALL businesses regardless of size.

  3. It only affects people with a mailing list .. It covers ALL data, how we handle it and what we do with it, it’s not “just” about mailing lists.

I blogged on this before and you can find that here

So, let’s run through some key points again:

1.    Personal data is defined as “Any information relating to an identified or identifiable nature person”, so data such as Company name, Company number are not personal data as they do not relate to a nature person and are also publicly available data.  But your name, address, email etc are personal data. 

2.    You need to look at what data you handle within your business, this could include:

  • Supplier data

  • Customer / client data

  • Employee data

  • Website visitors data

  • Marketing data

  • And more …

3.    You need to look at:

  • What personal data you hold in each circumstance

  • Why you hold it and on what basis do you hold it

Some data you need to hold for legal purposes ie to fulfil a contract or because there is a legal need to retain the data (ie accounting records have to be kept for 6 years) but some data you might not hold for any specific legal need ie marketing data.

4.    You need to consider if you are the Data Controller or the Data Processor, these are different:

“A data controller is a person who (either alone or jointly in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”

“A data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller”

So, I am a data controller, I have to decide what is done with the client information that is given to me – and that is what I have qualifications for, spend time ensuring my CPD is up to date, ensure I have the right software and systems to stay compliant and that my clients are compliant too.

Whereas the cloud storage I use for back up is a data controller, they look after the data but actually have no access to it and don’t do anything with it.

One essential part to remember is that if you are the data controller it is your obligation to ensure your data processors are GDPR compliant.

5.    One of the new standards is around consent – it has to be positively given and not implied from silence and this is why so many emails are landing in your inbox, because you may have had to opt out of a mailing list rather than opt it.

Lastly, what documents will you need to have? It will all depend on your business – the key one that we all need is a Privacy Policy.  This should be clear, concise and accessible, there are lots of templates around – just approach with caution as your Privacy Policy needs to be tailored specifically to your business so check that any template is appropriate and produced by someone with the right qualifications to do so.

And remember the rights for individuals under GDPR are:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision making and profiling.

And that these rights can be withdrawn ... and it is possible, that if a client withdrew rights you may have to cease the contract and cease working with them because you won’t be able to if they won’t let you have the data! But, that is their right.

As I said at the start – this is just the information that I have picked up and noted as being key from the reading I have done and the ICAEW guidance I have read. 

The ICO website has lots of information and checklists that you can work through to help you with this and another recommendation would be to read the information that your mailing list provider has to help you with your mailing list .. and GOOD LUCK!!