The Data Protection Act in the UK was replaced with the new General Data Protection Regulation (GDPR) on May 25, 2018.
For most companies who are holding data about customers, clients or anyone else it meant you needed to be even more compliant than before as this new legislation introduces tougher fines for non-compliance, and gives individuals more say over what companies can do with their personal information.
If you have a business operating within the EU, or selling to customers within the EU, then the new legislation applies to you.
Here are 8 things you need to know:
1. The definition of “Personal Data” has changed
“Personal Data” now covers a much broader range of information, including photos, bank details, social media names, medical information, email addresses, and dates of birth, for example. The legislation is only applicable to an individual’s information, not the information of a business or company.
2. Record keeping is more important than ever before
GDPR expert and trainer Rachel Doherty said: “You need to keep records of all data that is processed by your business, along with the purpose for processing it, and it should only be kept for a legitimate purpose before being destroyed.
“Processing of personal data is permissible when: consent is given by the individual to process their data (which should be recorded), a contract requires data processing (in the case of employees, for example), there is a legal obligation, a vital interest or public interest, or a legitimate interest – such as personal information collected for the purposes of marketing.”
3. Asking people to “opt out” is no longer acceptable
When collecting personal details for a marketing email list, it used to be acceptable to have a pre-ticked box that individuals would have to remove the tick from in order to opt-out. That is no longer acceptable. Individuals must opt-in instead, and there should be a double opt-in process. This means individuals will have to tick a box to opt-in to marketing communications, and receive a confirmation email.
4. The rolls of people in your business
If you determine the purpose for which personal data is collected, and the manner in which it will be processed, you are referred to as the “Data Controller”. A “Data Processor” is any other person or organisation, other than an employee of the Data Controller, who processes data on their behalf. An example of this could be if you outsource your payroll or HR functions.
You should ensure you have a suitable and sufficient contract in place with any Data Processors you use, to ensure that any personal data you provide is kept secure from unauthorised access, loss, or destruction.
5. The right to be forgotten
Rachel explained: “Individuals whose personal data you have collected have the ‘right to be forgotten’. If they request for their data to be completely erased, you must comply with this request, and inform any other organisations who hold the data, such as a data processor, to delete it also. There may be certain exemptions where there is a legitimate interest in keeping certain records, such as employee information, which is usually held for at least 40 years.”
6. You have to tell people what information you hold if they ask
Individuals for whom you have personal data can request access to the information you hold on them. You are no longer able to charge an administration fee for complying with their request, and you now have just 40 days to complete the request and disclose the information. Information requests are very generic, and you are expected to provide all information that relates to the individual. If the individual is looking for a specific piece of information, you can reduce the amount of time and expense in complying with this request by asking if there is a specific piece of information they require, and providing just that information.
7. Data breaches must be reported immediately
If you suffer a data breach, you must notify the Information Commissioner’s Office within 72 hours. Anyone affected, or potentially affected, by the breach must also be notified.
8. Non-compliance will result in fines
Not complying with these new regulations could result in a significant penalty. If a breach is not reported within 72 hours, there is a risk of being fined up to £10million, or 2% of your global turnover, whichever is greater.
Contact Rachel Doherty, GDPR & compliance expert at inspiredbusinessconsultancy.com or email [email protected]
Can we help you with your content creation?
Excalibur Press have a great team of experienced and efficient content creators, copywriters and publicists. If there is anything we can help you with please don’t hesitate to give us a call on 07305354209 or email [email protected]