We all know (or we should do) that the new legislation about GDPR is about to come into effect and that it could have a huge impact on how we run our businesses. But what does it actually mean and what do you and I need to do about it? Thankfully Alex Saunders, from Leathes Prior, was on hand at a recent Norfolk Chamber conference to give us a overview of the important bits and, most importantly, to tell us not to panic!
GDPR is General Data Protection Regulation and it will govern how personal information is handled and used by companies. Firstly and very importantly, personal data is anything that can identify someone living – their name, address, IP address, date of birth etc. If you’re using that data you need to comply with the GDPR rules. The legislation comes into effect on the 25th May this year and will be enforced in the UK by the Information Commissioner’s Office (ICO) and the penalties for non-compliance can be hefty.
The main principles are fairly straightforward – Lawfulness, fairness and transparency.
There are five grounds on which you can hold and use someone’s personal information:
- Consent – an individual has agreed to their data being held and used
- Contract – i.e. the company has a contract with an employee to use their data
- Vital – i.e. medical information used to save someone’s life
- Public task – g.g. tax returns
- Legitimate interest – e.g. credit referencing. Legitimate interest can also be for commercial benefit but this cannot be used to cause harm to the person or their interests
MYTH: consent is always necessary to process personal data
FACT: consent is one way to comply with GDPR
Active consent may be required if data is to be used for:
- Direct marketing
- Using or sharing data in an unusual way – e.g. selling a database of data
- Transferring personal data outside of the EU
Consent would not be appropriate if:
- You are in position of power – e.g. an employer
- Consent is a pre-condition of using the service
- You would still process the data if consent was withdrawn
The most important part of consent is that consent must be freely given, specific, informed and unambiguous. An example would be ticking a box during online shopping agreeing to receive a monthly newsletter from the company you are purchasing from.
Some useful do’s and don’ts to remember –
- Make sure consent is what you want to do in the first place
- Use clear and plain language
- Be open – if you’re sending the data to someone else, tell the person where that data is going
Keep records of who gave consent
- Ability to withdraw – this must be as simple as possible with no complicated processes to go through
- Bundle consent – i.e. sharing data is a condition of signing up for a service
- Rely on blanket consent
- Use pre-ticked boxes
- Penalise for withdrawing
- Public authorities must not rely on consent
So have can we make sure we’re compliant? Alex handily provided a few action points to take to make businesses GDPR ready.
- Review the personal data you hold
- Identify the grounds under which you are holding the data. Are there any other lawful basis for business processing?
- Does it meet the GDPR standard? Do you need to obtain fresh GDPR-compliant consent?
- Ensure proper procedures are in place for recording consent from new individuals
- Consider running a ‘re-connect campaign’, that way you know everyone on your files has consented under the new guidelines.
The main thing as mentioned before is not to panic! Set some time aside to review how you gain consent, how personal data is used and whether everyone you have personal details for already has consented properly and fully.