The GDPR regulations
The GDPR Regulations
effective 25 May 2018
The new General Data Protection Regulations (GDPR) come into effect on 25 May 2018 and apply to all EU citizens. This document aims to explain the rules and responsibilities in a comprehensive way and is aimed at sole traders and small businesses, so only covers the points relevant to them. This is an EU law, however, the UK government will apply legislation after Brexit to mirror the regulations exactly and all UK organisations must comply or may face large fines.
1.Two main responsibilities are identified, a data CONTROLLER and a PROCESSOR. If you keep your customer data in the cloud (online), you will be the Controller, and the Owner of the online service (e.g. Microsoft, Apple, Mailchimp) will be the Processor. If you keep the data on your computer, paper or both then you’re both the Controller and Processor.
2.Any data which could be used to identify a particular individual is covered. This includes email addresses, customer ids, phone numbers, home addresses, P.O.Box numbers, IP addresses (the number given out by a computer when communicating). It also includes documents which reference an individual, such as an invoice, credit note, medical record, client history/progress document etc.
3.All such records must be kept securely. For electronically kept documents, password protection should be used, involving as strong a password as possible. Paper documents should be kept locked away, preferably with a double lock when unattended, e.g. in a locked drawer in a locked room, with the keys in the care of the data controller, who will be responsible in the case of a security breach.
4.Electronically held documents should be held on a password protected device (computer, ipad etc) and in a password protected file. Knowledge of these passwords should be kept strictly on a need-to-know basis and the passwords should be as strong as possible (see Hints and Tips below).
5.Any breach of personal data should be reported to the authorities within 24 hours (72 hours maximum is allowed if it is noticed on a weekend). They will need to know what the breach was, how many records are affected, what data may have been seen/taken and what steps are being taken to remedy the situation.
6.The ICO defines a Personal Data Breach as a breach of security leading to the accidental, unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
7.You have the right to hold data for legitimate business reasons, e.g. customer lists.
8.People may request a copy of the data you hold on them at any time, and you must respond within 30 days. This includes customers and employees, and any other group whose data you may hold and/or have access to.
9.They also have a ‘right to be forgotten’. If they indicate they wish this, all relevant records should be deleted, except where this may have financial implications.
10.Any records no longer in use must be deleted, such as when a customer has moved away or not used your services for a defined period of time.
11.You should have a clear GDPR policy, which is held and displayed separately from other terms and conditions. This applies to websites, invoices, despatch notes, customer record forms etc.
12.If you are likely to send updates, promotions, news etc to your customers, they must consent to this and their consent needs to be provable, so you will need to record the consent, when and how it was given.
13.You can no longer indicate that contact means they have opted in to emails from you and need to tick a box to opt out. The onus is on them to declare their wish to receive it, so you should provide a box for them to opt IN. This constitutes proof of consent. The opt out box does not. Opting in should not be conditional on their receiving service or products from you.
14.Parental consent is required to process the data of children under 13. If dealing with certain other EU countries it may be 16, so it’s wise to check or require consent for anyone under 16 as dual nationality may be applicable.
15.If collecting email addresses from a website via Mailchimp or similar, it is advisable to send a letter/email to any respondents stating their GDPR rights and advising them how to opt out. This can be set up to automatically send, if on Mailchimp
16.Opting out of a mailing list should be easy to do and clearly defined in your GDPR statement.
17.You will only need to request consent from existing clients if you send out newsletters, promotions etc.(including Christmas cards!!). If you simply hold a customer list for your own records and do nothing with it, then you only need to make sure you keep it updated.
18.You can still ask people to give their email address to download an e-book or document, but you must include a box asking them if they want to receive further news. A box asking them for their email address if they want to keep in touch is provable consent, but this should also be stated in your GDPR statement
19.Don’t Panic!! Fines will be proportionate to the size of organisation and the type of breach, as well as the steps taken to ensure data was as secure as possible. If you can show you have followed its tenets to the best of your ability you will receive credit for it.
Hints and Tips
1.Details of the regulations can be found in (more or less) common English, on the Information Commissioner’s Office website. ico.org.uk/
2.Try looking at your own rights first on that website. It’s for the public so written in the most understandable way. If you understand your own rights, you’ll better understand what you should be doing with other people’s data.
3.Google it. There’s a lot of information out there and if you can’t find (or don’t understand) it on ICO, then someone may have put it better elsewhere.
4.Update your website. Add your GDPR statement – even if it’s just to say you only keep data for customer records.
5.Use your website. If you can’t get consent from people when needed, put your news, promotions or a blog on your website. You can add a virtual christmas card too!
6.Passwords – A good tip for a strong password is to think of 2 words that are as unconnected as possible and add a 4 digit number in the middle. E.G. Spanner3972Fishwife. This will satisfy most password checkers and you can always add ! or ? in the number (Spanner39?72Fishwife) for those requiring an ‘other’ character.