Are you GDPR-ready? Piece of cake.
Admittedly it’s not a piece of cake, but neither is it a mountain. Possibly a mole-hill… Here’s an overview of what GDPR is and how it affects your business and how we are helping many organisations tackle the challenge with our web-based app: Hey Mundo!
Data protection was first created in the 90s, with the UK’s Data Protection Act 1998 (which was based on the 1995 EU directive). Since then the amount of digital information we create, capture, and store has vastly increased and the landscape of data and personal information has completely changed. The data protection laws were no longer fit for purpose and long overdue a complete overhaul.
Stage entrance left — On May 25th 2018 the biggest legislation change to data protection rules in two decades comes in to effect. The solution is known as the European General Data Protection Regulation (GDPR — click here for the full 99 articles). It will completely change how businesses and public sector organisations handle the information of their customers. Moreover GDPR has been created to give more protection and rights to the individual over their data — who has it, what do they do with it, where do they store it and for how long? It also gives consumers the ‘right to remove’ at any time.
Put simply, if you are ‘controllers’ or ‘processors’ of personal data, offer goods or services, monitor the behaviour of any EU citizen, or store any personal data then GDPR applies to you.
Useful Questions:
WHEN DOES THE NEW REGULATION START?
May 25th 2018WHO WILL ENFORCE IT IN THE UK?
The Information Commissioner’s Office (ICO)WHAT’S NEW?
There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of finesWAIT, WE VOTED BREXIT!
The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same
Both personal data and sensitive personal data are covered under GDPR. Personal data, broadly refers to a piece of information that can be used to identify a person. This can be a name, address, IP address… etc. Sensitive personal data encompasses genetic data, information about religion, political views, sexual orientation, and much more.
If you’re only just hearing about GDPR, here are some of the challenges to start preparing you and your organisation for:
Accountability and compliance
Companies and organisations affected by the GDPR will be more accountable for the handling of people’s personal information. This can include data protection policies, data protection impact assessments and being able to provide documentation on how data is processed and how/when consent was given.
Under GDPR you must be unambiguous in your communication of privacy policy. No longer can you add a tickbox with text such as, ‘If you DO not want to definitely not get any emails relating to Not getting marketing tick here’. Say what you mean, mean what you say.
With GDPR, any “destruction, loss, alteration, unauthorised disclosure of, or access to” personal data has to be reported to the ICO within 72hours of the breach.
If you employ more than 250 employees, you need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
For organisations that have “regular and systematic monitoring” of individuals on a large scale or process a lot of sensitive personal data are expected under GDPR legislation to have a dedicated data protection officer (DPO). Their role will be to report to stakeholders and senior members of staff, to monitor compliance with GDPR and be a point of contact for employees and customers. Meaning that data protection will now forever be a boardroom issue for the first time.
For any business reliant on using a person’s information to communicate with or market to, they must obtain written consent to process that data. Without ambiguity, the organisation must clearly explain what consent is being given and what is will be used for. You can no longer automatically add people to your mailing list because they once emailed you. There has to be a “positive opt-in”, with consent from the individual. No consent means No processing.
Access to your data
At its core, GDPR is about providing individuals with more power to access the information that’s held about them.
At present, if you want to obtain your personal data you have to use a Subject Access Request (SAR). Companies and organisations can (and often do) charge £10 for the privilege. Under GDPR this is scrapped and as an individual you can not only request your data (for free) but you can request for it to be permanently removed from a companies database.
If you request your information an organisation/company has 30 days to provide the data. You will have the right to get confirmation that an organisation has information about you, access to this information and any other supplementary information.
Money talks
There are hefty fines being threatened by the EU, GDPR and those responsible for enforcing it. You can be fined up to €20,000,000 or 4% of your global turnover. Not profit. Turnover! Smaller offences could result in fines of up to €10,000,000(!) or two per cent of a firm’s global turnover (whichever is greater).
If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.
What else?
We do not have all the answers, neither does the ICO — GDPR is not a one-size fits all legislation. It’s going to effect different businesses in varying ways but it is important to remember: it is not complicated, but it is important. We can help.
12 Steps to GDPR
Here are some handy tips on where to start. For everything else there’s Mundo.
1. AWARENESS
Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. DATA HELD
Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. PRIVACY
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. RIGHTS
Check your procedures to ensure that they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. ACCESS
Update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. PERSONAL DATA
Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. CONSENT
Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
8. CHILDREN
Do you need to put systems in place to verify individuals’ ages? Do you need to obtain parental or guardian consent for any data processing activity?
9. BREACHES
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. CODE
Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and how and when to implement them.
11. DPO
Appoint a Data Protection Officer to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
12. Hey MUNDO!
Hey MUNDO! connects you with your customers when they visit your business. It allows them to review their data, edit, give their consent (or right to remove) and signature— all from the comfort of your business.
We also provide the ability to sync the web-based app database with email campaigns.
Give us a call and book your free consultation to work out how Hey Mundo! can help your business get GDPR-ready:
Call Steve on: +44 (0) 7971 207 276
or email: mundo@plan-bstudio.com
