Don't panic! Get GDPR ready
- AuthorJonathan Rathbone
Data Protection law is relevant to every business. It should not be ignored under the current rules, but under the General Data Protection Regulations (GDPR), which come into force in May next year, businesses will be required to take another look at what data they hold, how they keep it secure and what they are permitted to do with that data.
GDPR will largely be welcomed by the consumer as they will, effectively, hand back control over 'data' to the people who own the personal information. Businesses should also see this as an opportunity to review their systems and processes and mitigate the risk that they could be subject to a damaging cyber-attack or personal data leak.
There is work to be done and businesses that process information relating to an identifiable person, i.e. a human being, must ensure that they comply with the new laws before they're in force in less than a year's time. Unless you and your business have been burying your head in the sand when it comes to personal data, it is likely that you will already have implemented compliant guidelines, polices and procedures for data protection. The emphasis is on thinking carefully about what you do currently and assessing what, if anything, you need to do to meet the new requirements.
We have provided a brief checklist of some of the main things you should be considering:
1. Review Privacy Policies - in addition to the information you're currently required to provide to individuals, you will also have to give explanations including the legal basis for processing their information and how long you intend to hold it for. This must be in a clear and easy to understand language, which, if your target market includes children must be given careful consideration.
2. Consent - check how you seek, obtain and record an individual's consent to use their data. Under the new rules consent must be freely given, informed, specific, unambiguous and clearly distinguishable. Separate consents must be obtained for distinct processing operations and not bundled in with other agreements, such as by way of a catch all tick box. Consents must be a positive indication of agreement, meaning that inactivity, pre-ticked boxes and inference by silence will not suffice. Consent must also be verifiable so you need to be able to demonstrate that you have recorded the distinct consents you have obtained from each individual. You must also make it just as easy for individuals to withdraw their consent as it is to give it in the first place.
3. Check your existing procedures -
a. How easy is it to correct information if it is inaccurate? You may want to consider a system where individuals may have access to your database to amend their own details.
b. Can data be deleted swiftly? Under the new rules individuals have a right to erasure, which is far more limiting than the current right to be forgotten.
c. How do you record data? Individuals have a right to ask for any information you hold on them to be sent to them in a format preferable to them. This may be by email, which could create time consuming administration efforts if you currently record data in paper format;
d. Deadlines for these information requests will be reduced and will have to be met within 1 month of the request rather than the current 40 days. Also you will no longer be able to charge administration fees.
These changes may sound daunting for businesses, certainly those that process large volumes of data, however, to pinch a phrase from the immortal genius Lance Corporal Jones: "don't panic!" there is still time to get your procedures compliant. Jon Rathbone and Danielle Isaac in the corporate and commercial team at Hughes Paddison can help you with these matters. If you'd like to discuss GDPR and better understand your obligations give us a call on 01242 586354.