It’s now less than 2 weeks until the new GDPR regulations come into force on 25 May. Are you ready? If not – or not sure – then read our summary below.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new piece of legislation that governs how your business uses personal data. It takes effect on 25 May 2018. It applies to any company that holds data.
Does it apply to my business?
If your business collects personal data – including names, addresses, phone numbers – anything that identifies living individuals – you are deemed to be a controller of personal data and must abide by GDPR. So, this is not just about email lists and subscribers. It also applies to digital and paper files and databases that you might have of your customers and contacts.
How should I prepare for GDPR?
You have got to look at what data your business is collecting and what your justification is for keeping it.
How might GDPR change my business?
GDPR should make your business better at protecting the data you have and it should make you think more carefully about how long you are keeping data for. Don’t keep data for 100 years just because you can! GDPR doesn’t want you to do that. It wants you to have valid reasons for keeping that data and to explain that to those whose data it is.
Do I need consent to keep holding personal data?
In order to justify keeping people’s personal data, your business must be able to satisfy one of six criteria. Don’t believe anyone who tells you that you must have consent to store personal data. That’s a big misconception about GDPR – there are 5 other justifications for processing personal data:
Under GDPR, consent to process personal data means having a positive opt-in from individuals, such as a statement of consent. Pre-ticked boxes will no longer cut it. It also has to be easy for people to withdraw consent.
‘Legitimate interest’ is a somewhat vague term, but essentially it means that the processing of personal data should be in the legitimate interests of your business – in other words, necessary to keep in contact with current customers.
Storing personal data is fine if you have a legal or statutory obligation to do so. For example, if you’ve bought a ticket to my event, I have to keep your details on record because HMRC wants me to prove who gave me the money. That’s a legal obligation.
You can rely on this justification if you need to process someone’s personal data to fulfil your contractual obligations to them – or because they’ve asked you to do something before entering into a contract (i.e. provide a quote).
This permits the processing of personal data ‘in the exercise of official authority’. This is only likely to apply to businesses who organise public functions.
If you need to process someone’s personal data in order to save their life then that’s a vital interest. Not likely to apply to most businesses.
What should I do now?