On 25 May 2018, most processing of personal data by organisations will have to comply with the General Data Protection Regulation.
Ok, so what’s all the fuss about – Data Protection has been around for years, hasn’t it?
Well, yes, it has, but the new regulations tighten up so much of what we’ve been used to doing and that’s where the work is. There’s so much to check:
Here’s what the ICO (Information Commissioner’s Office) has to say:
|"Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently."|
It’s the last sentence that has all the work in it. We started with Principles, got to Article 5, Recital 39 and switched rapidly to – well, no there wasn’t an easier section, but we did find this helpful paragraph:
Who does the GDPR apply to?
• The GDPR applies to ‘controllers’ and ‘processors’.
• A controller determines the purposes and means of processing personal data.
• A processor is responsible for processing personal data on behalf of a controller.
• If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
• The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
• The GDPR does not apply to certain activities including processing carried out by individuals purely for personal/household activities.
So, the first thing is, are you a ‘controller’ or a ‘processor’?
Then, what information do you keep about individuals and what do you use that information for?
Then there are the issues of Lawful Basis for Processing, Consent, Legitimate interests, Special Category Data, Exemptions and the list goes on...
And of course, we do all keep personal information, even as little as a telephone number and email address. When you start to think about it, this is pretty big because everything will need to be checked and accounted for properly.
So what do you need to do?
• Decide if you are a Data Controller or a Data Processor (if you run a small business, you’re probably both)
• Make a bullet point list of all the different types of personal data you hold – suppliers’ information will be different from customers perhaps – why you are holding it and what you’re using it for
• Look at how you get and manage the individual’s consent for you to keep this information. For instance, do they have to tick an ‘opt-out’ box or do you ask them to tick to ‘opt-in’?
The ICO have also released some useful documents including their guide to 12 steps to take now and a checklist for both data controllers and data processors.
There’s reams and reams of information on their website too.
But even with all this information, it’s hard to navigate your way through the terminology and know how this relates to you and your business.
So, Business Northumberland are running half day workshops across Northumberland in the New Year – they have already started to prove very popular and the first two sessions are already fully booked!
It’s well worth spending half a day hearing about what you need to do, getting useful tools to help you do it and to work with other businesses in the same boat. We look forward to seeing you there.
All our workshops are listed under the events section of the website.