Unless you’ve been living on the Moon for the last couple of years, you will be fully aware of the new General Data Protection Regulation (GDPR) coming into effect on 25th May 2018 that will replace the Data Protection Act (1998).
Now there has been a lot of talk and information around its implications – some have compared it to Y2K, some are seeing it as a money maker and others are on board with the changes to current practises as to how our personal data is handled.
Whatever your opinion on these impending changes to our current legislation, the point of the matter is; the law is going to change on 25th May 2018, so the question is are you compliant or complacent?
The fact that some are comparing GDPR to Y2K is, to me (Sam) somewhat worrying – We’re not talking about computer systems that may or may not be affected by a year change, we are talking about a change, a progress in legislation, a change in law, basically what you have to do – it won’t be a case of ‘Oh Sh*t – it’s the 25th May 2018, we must be GDPR compliant’ and then ‘We made it to the 26th, the sky hasn’t fallen, we’re OK’.
GDPR will be an evolving entity – the reason being; our world, our society has changed significantly since the Data Protection Act (1998) was written. With the increased use of the Internet, the inventions of Smartphones, Tablets etc. and most importantly Social Media, the way personal data is handled, processed and stored has changed enormously in the last 20 years.
So, ask yourself this one question: “How do I want my personal data to be handled?”
If your answer is “I really don’t care” then I guess GDPR really is a Y2K problem for you, however as a business you need to consider how your customers and suppliers answer this question.
As previously stated there is a lot of information out there about GDPR – but are you reading the correct information? There has been some scaremongering for SMEs especially, that if you’re not GDPR compliant on 25th May, the ICO (Information Commission Office) will be hunting you down, and ready to hang, draw and quarter you! i.e. issue you A HUGE FINE. Well that’s not the case!
As per the information from the ICO:
And just look at our record: Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.
Information from https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/ accessed 07/03/18
So, what do you need to be thinking about?
Well, I’m not gonna lie, there is a lot!
My first suggestion, would be to look at and assess what data you currently hold:
- What data do you hold?
- Where do you hold that data?
- Remember you may have a number of systems, e.g.
- Accountancy software
- Email Marketing Software
- Excel spreadsheets
- Access databases
- Have you shared this data with a third party e.g. a supplier?
- If so, why? And how do they store this date and for how long?
- Why are you holding that data?
- Customer relations
- Prospect customers
- Or just because ….
- How long will hold that data for?
- Have a policy in place to ensure all data is ‘cleaned’ regularly
- Remember you may have a number of systems, e.g.
We at CFL are currently working on updating our data policy which will be shared on our website when ready (hopefully before the 25th May 😊).
And don’t forget those hard copies you have filed away ….
So now you know what data you hold and where, you need to consider why you’re holding it.
When it comes to customer relations – such as processing orders/ sales, you’re pretty safe, you have a legitimate or contractual reason for holding such data.
A grey area can appear when we talk about marketing ……
And consent has become somewhat of the ‘buzz word’ when it comes to emailing, texting and generally sending information to customers and potential prospects.
What you need to know is the ‘Legal Basis’ of contacting someone, and this can be covered by the following six points (listed alphabetically – with links to the ICO definitions)
Whether you are a Data Controller or a Data Processor, GDPR will still apply to you, and should ensure you know where you stand with regards to your obligations – key definitions can be found on the ICO website.
You may question who in your organisation is responsible for data – in short WE ALL ARE!!
But you may want to consider appointing a DPO (Data Protection Officer)?
Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Further information about DPO’s can be found on the ICO website
When we said there was a lot to be thinking about we weren’t lying, and don’t forget that as technology and social media platforms evolve, so too will GDPR, therefore it is important to ensure you are up to date with any and all changes in the legislation.
You will notice we have referenced the ICO website a lot in this article – this is because this is your most reliable resource, use it! https://ico.org.uk/
IF you are just starting to look into GDPR the ICO have put together a 12 Step Guide, we recommend you at least have a glance and investigate your own needs/ obligations further.
Further Links you may find Helpful: