What is GDPR?
The GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy. It is designed to give EU citizens more control over their personal data and impose stricter requirements on organizations.
Who Needs to be Compliant with GDPR?
Any organization that stores or processes personal information on citizens of the EU is must be GDPR compliant.
What Does This Mean for Consumers?
Under the GDPR your rights are as follows:
• The right to be informed about our collection and use of personal data; The right of access to the personal
data we hold about you
• The right to rectification if any personal data we hold about you is inaccurate or incomplete
• The right to be forgotten – i.e. the right to ask us to delete any personal data we hold about you.
• The right to restrict – i.e. prevent the processing of your personal data;
• The right to data portability – Obtaining a copy of your personal data to re-use with another service or
organisation.
• The right to object to us using your personal data for particular purposes, and
• The right not to be subject to automated decision making including profiling.
Consumers can complain to the ICO [www.ico.org.uk]
Types of data protected
Any information that can identify an individual is under the protection of GDPR, this includes but is not limited to:
• Name, Address and National Insurance number
• CCTV footage, car registration numbers and RFID chip data.
• Web data, including a person’s location, IP Address & cookie data.
• Demographic information such as gender, race, ethnicity, disability and sexual orientation.
• Health, genetic and biometric data
• Political affiliations
What Happens if Companies Fail to Comply with GDPR?
European regulators can fine companies up to 20 million Euros or 4% of annual global turnover, whichever of both is greater.
How to get started
A good starting point is to conduct an audit on all areas of your business including your website. Systematically review current data collection and storage procedures. By doing so you can determine what areas require changes to the procedure so that all personal data is processed in a transparent manner.
On the surface, GDPR can be overwhelming but with a step by step approach, you can achieve GDPR Compliance for your organisation.
A Few Things to Consider;
• GDPR applies to all aspects of your business. Review all areas of your company’s data collection and
storage practices.
• Consider what personal data is being collected & stored.
• Do you currently collect/store email addresses? Do you use third-party plugins on the business website?
• Update email signup forms (newsletter and blog) to be GDPR compliant.
• Do company data collection procedures give the individual control over their personal data?
• Are you obtaining the necessary consents when you collect data?
• Your privacy policy needs to be easy to find, easy to read, understand, and avoids jargon.
• Does the individual understand how their data will be used and know how to withdraw consent?
• Remember, you are accountable and must be able to demonstrate compliance with GDPR.
• Is data being stored in a secure way? E.g. Who has access to the data? Is data encryption needed?
• Have you documented all procedures?
• Have you trained your team to be a complaint in how they handle data?
• Have you updated your privacy policy to be GDPR compliant?
Useful Links –
EU GDPR Information Portal
Disclaimer: We are not lawyers. It may be wise to review your current data protection strategy with your legal advisor as well as your IT provider to guarantee compliance.
