If, like Trace, you’re an SME and don’t have the time or resource to dedicate to GDPR, how do you make some sense of the mayhem…..?
Here’s our take on what it all means:
What is GDPR?
GDPR stands for General Data Protection Regulations
It is law, as of May 25, 2018 and is likely to remain after Brexit. It replaces the Data Protection Act 1998.
It governs how personal data is collected, held, protected, and deleted by data processors and data controllers (similar definitions to the Data Protection Act). In the case of an Expert Accountancy Recruiter like Trace, this means our candidates….
The regulations are silent on whether personal data can only be consumer data or whether it includes business contact data as well. Most commentators are taking the position that it is only consumer data, and from our discussions with clients, they too are taking this approach. Our advice would be that as business to business you probably have a legitimate interest (see later) and as long as you give an easy opt out, there should not be issues.
Personal data is data that identifies an individual in some way including:
- Email address
- Social media posts
- Personal medical information
- IP addresses
- Bank details
GDPR introduces tougher fines for non-compliance and breaches (up to 4% of global turnover or €20m which ever is the greater). Ultimately, the fine will depend on the nature of the infraction. There does not need to be a breach to be non-compliant.
A data breach is any situation where an outside entity gains access to user data without the permission of the individual. Data breaches often involve the malicious use of data against users.
If a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”
To comply, all businesses must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
- ‘Lawfully’ has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation. Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Businesses must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
- “Transparently” applies to how data controllers or processors collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
People can ask for access at “reasonable intervals”, and businesses must generally respond within one month.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, businesses should provide secure, direct access for people to review what information they store about them.
They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
- And there is “a right to be forgotten”, meaning individuals have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
The business is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
There is also an exclusion that allows an unsolicited or non-opted in approach, described as the target having a legitimate interest.
There are three elements to the legitimate interest basis. You need to:
- identify a legitimate interest (i.e. if prospecting to sell building insurance, that the individual owns a home)
- show that the processing is necessary to achieve it
- balance it against the individual’s interests, rights and freedoms
So, what should we be thinking about? A few things to start with include:
For existing data, think about the consent. If it is either not clear how and when consent was given, or if consent was passive acceptance such as pre-ticked boxes or opt-outs don’t use the data after May 2018.
For ongoing data collection your consent needs to be via an active, affirmative action by the data subject, so you may need to review sign up forms and web sites. You need to keep a record of how and when consent was given and you need to be clear about what you are intending to use the data for.
So with May fast approaching, it really is time for most of us to make a move on GDPR and to at least start to try and make appropriate changes in our processes to show we are taking reasonable steps to deal with the impact it will have on our businesses.