Now is the time to make sure you are fully prepared for its introduction. GDPR stands for General Data Protection Regulation and, from 25 May 2018, will be the main law on collecting and processing personal data. It will come into effect across all EU member states, so while the UK is still part of the EU, businesses must comply.
World Emoji Day might seem an unusual time to highlight a data protection campaign, but this year the Information Commissioner’s Office (ICO) used it to heighten awareness of the General Data Protection Regulation (GDPR), which comes into force in May. On Twitter, the ICO used emojis of the three wise monkeys (hear no evil, see no evil and speak no evil) to tell businesses they cannot afford to be those monkeys when it comes to GDPR.
The main shift is that the new law will give more rights to individuals, and companies that use their data become more accountable. There will be a lot more record-keeping, making sure privacy notices are compliant and that they cover what data will be used, what the data will be used for, and why.
You can’t have a catch-all policy anymore; you need to be a lot more explicit about what you’re doing with the data. For individuals, GDPR introduces the right to be forgotten, as well as to access their data so they can ensure information held on them is accurate, and to ask questions as required.
There will be some exceptions, however. There are circumstances where other legislative and legitimate business requirements will override the individual’s right to be forgotten: for example, if you decide to keep employee performance records for a period of time following their resignation, in case of a future claim but you should be very clear on what you are keeping and for how long, and then ensure you remove it when it is no longer needed.
For small businesses just starting on their GDPR journey, a good first step is to carry out an information audit, a map of the personal data you hold and to understand why you hold the data you hold. You need to look at what activities do you process personal data? Is this data sensitive (such as medical or financial data)? Do third parties handle this data and are their systems secure? The first thing the Information Commissioners Office will ask for is what data you hold. Be prepared! Next on the list is to assess any potential risks to that data: what data would present the greatest risk if an unauthorised person gained access? This could be credit card details if you’re a retailer, for example. Prioritise the riskiest ones now and come up with a plan for how you will deal with the rest of the data in the coming months.
A robust review of your security arrangements is also necessary. Security breaches defined by the ICO is anything that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If personal data is stolen in a cyber-attack, you must report the breach within 72 hours. The most important thing is to show you’ve taken steps to stop it, and that you have processes in place. Don’t forget to review your arrangements with third parties – perhaps your payroll is outsourced to an external company. You will need to demonstrate that their systems are secure and that they have taken steps to prevent a breach. Review how these arrangements might change in light of GDPR: for example, setting up a virtual private network with partners to share data.
Don’t be down heartened, the new regulations can present an opportunity for businesses to review and improve their marketing communications and to consider why we collect the data we do, is it necessary?
For more information about GDPR you can visit the ICO website https://ico.org.uk. Here you will find a 12-step guide to preparing for the new regulations.