We received a lot of questions about the new GDPR laws, which will come into effect on the 25th May, 2018, asking what these changes are and how to practically implement them. Therefore, I thought I’d write a comprehensive blog post to firstly calm the panic, which these new regulations seem to be causing, but also to breakdown the most important points and to remove the mystery surrounding these fairly standard updates.
First question answered: it is highly unlikely that Brexit will stop these changes coming into force or that this law will be repealed when we leave the EU. In May we will probably still be in the EU, but also to keep a trade agreement with EU countries, we would probably need to have similar data protection policies. Therefore, if you are hoping you won’t have to deal with these regulations, then stop hoping and accept they are coming.
Now, onto the better news; the updated General Data Protection Regulations are actually very similar to the previous guidelines, so if you are responsibly following these then there is no need to panic. The main shift within the rules is that companies are now legally obliged to follow them, implementing them to the best of their abilities and can be reprimanded and fined if they don’t. Additionally, the onus will now be with the company to ensure their data records are up to date and secure, as opposed to the previous rules which relied on active individuals keeping track of where their information was and how it was being used.
Below, I will go into more detail about the updates and provide some tips on ways to ensure you remain within the law and the transition is as smooth as possible.
Aims of the new law are:
- Update the use and storage of personal information to reflect the digital society we live in
- Protect people’s fundamental rights and freedoms, which include privacy
- Enable free movement of data securely within the EU
- Contribute to the social, economic and trade progress
- Create a cohesive, intelligible data protection regulation for all the EU
Main requirements of the 2018 Regulations:
- Personal data must be acquired and processed within the law, in a fair and transparent way
- Data must be used and collected for a specific purpose and cannot be reused after that purpose is finished without permission from the individual
- Ensure you keep systems up to date and if a customer asks for their information to be removed it is done so as soon as possible
- If data is no longer relevant to the purpose it was collected for or is out of date, it must be cleansed from the system
- Each company must keep a paper trail of their actions to demonstrate they are within the law
- Data must be kept securely, protected from unlawful process and there should be a policy in place for a security breach
- Data protection is extremely important in the new regulations so don’t ignore this
- Individuals need to be able to be told what data you have on them and how you got it
- It is a company’s responsibility to contact any third parties
Tips
- Look over current systems and discuss with staff regularly using them what they think are the drawback and flaws in them
- If you are going to do this, create a form for people to fill out, so you can prove that you have done this
- Don’t disregard staff training, it may be that your current system is fit for the job, but could be used better
- Book in staff training sessions, which are recorded for potential auditing
- Create a staff handbook for working with data properly
- Keep a record of who can access individual’s information and decide how you will stop people accessing this data when they leave the company or change departments etc.
- When collecting high risk data, which includes detailed personal information on life activities and behavior, create and document a privacy assessment to show you have thought about the information you are gathering, why you need it and the implications of having these statistics
- Keep records of all the data gathering you do and ensure in all these attempts, you have told the individual what their information will be used for and how long you will keep it
- Send out an email to the people you have on file, explaining why you have their details and why you would like to keep their details, whilst also giving them the option to remove themselves from your database if wanted
- Example: we collected your information in 2015, because you asked to join our ‘news’ mailing list. If you are happy with us continuing to contact you and storing your details, please ignore this email. If you would like us to cease contacting you and remove your details from our database, please click here. If you would like further information, please get in touch with us here
- Share your organisations data policy on the company website, so it is accessible and transparent
- Expect users to be more active than previously, asking about data systems and policy, wanting to change information of theirs and reporting you if you appear not to be within the law
- I don’t think people will be aggressive over this, but I do think with the heightened awareness surrounding data protection, companies should be prepared to handle enquiries and have an easy system to assist users where necessary
In short, I know that I just gave you a lot of information to think over and suggestions to make, but I think the most important element to hold onto is that the new GDPR rules coming into place in 2018 almost mirror the old ones, so it should not require a great shift in company thinking to understand them. However, you must be prepared for a dramatic change in company culture and the sooner you start this change, the easier it will be. If there is one final thing I can give you it is that these changes are essentially a reflection of what everyone wants; when you give your information out you don’t want a stranger to suddenly get it, you want to know it is stored safely, protecting you from future invasions of privacy and if a company that you are no longer interested in is contacting you, you want to be able to make them stop easily and efficiently. If you can provide this to your database and prove that you are doing so, that is all the new law really asks of you.