You’re probably getting an email a day about ‘updated Data Policies’ and ‘GDPR’. Hopefully you’re aware that by the 25th of May 2018 all organisations need to comply (yes, that includes you) with these new data laws, but let’s go over the basics so you’re clear.
Brief General Data Protection Regulation (GDPR) Overview
The Data Protection Act 1998 is the framework under which all data is stored; and while well crafted at the time, this was before Facebook, Google and the huge amount of data processing which is now occurring. Also the Internet has evolved signfiicantly, so the law needs to as well.
The main purpose here is to ensure that your “Personal Identifiable Data” (P.I.D.) is properly protected, and ideally in your control. Overall that’s a good thing, though it does mean a bit of work on behalf of anyone who stores such information, eg.:
- Email Addresses
- Phone Numbers
- Postal Addresses
- I.P. Addresses (those 192.168.0.1 numbers)
In short, if you can identify an individual with the data, then it’s their PID and should be protected. Moreover you need to be able to justify why you are storing this data; only store it for the amount of time needed; provide someone a list of what you have on request; and delete their PID if requested (though not information which other legal purposes require you keep, eg. HRMC accounting records).
To be specific, GDPR covers:
The GDPR provides the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
Source: ICO Website: Individual’s Rights <– we would encourage reading through all of this GDPR guide, it’s pretty clear and comprehensive
EU Law/ Brexit?
Yes this law, and the ‘Cookie Law’ before it have come from the EU, but that doesn’t mean it won’t be applied post-Brexit. In fact, most of the data laws we have originated in the UK anyway and became EU law from there on. Also post-Brexit may of the EU laws are getting a UK equivalent because of the continued need to trade with Europe. In other words, it’s going to stay – likely the only change will be is the level of fines.
ICO/ Scary Fines?
The Information Commissioners Office (ICO) is tasked with implementing this law. While messed up their advice on the Cookie Law (getting it wrong on their own website), this time round their support is much more comprehensive.
There are some serious fines if there is a breach and you’ve not done anything about GDPR, but that’s not really the ICO’s approach at all. Rather they want to help you comply, rather than fine you (this was shown true with Cookie Law compliance).
Basically the press has played up the outrage/shock angle as usual because it makes for a better headline. Instead you might find reading the ICO’s ‘myth-buster’ blogs helpful:
- GDPR Sorting the Fact from the Fiction (Myth 1 – Fines)
- Consent is not the ‘silver bullet’ for GDPR compliance (Myths 2 & 3)
- GDPR is an evolution in data protection, not a burdensome revolution (Myth 4)
- GDPR Setting the record straight on data breach reporting (Myths 5 – 8)
What to do about GDPR
Do a Data Audit determining:
- What Personal Identifiable Data you have
- Where and how you store/protect it
- Whether you we need it
And then take steps to:
- Update your Data Policy
- Ensure you have Consent to collect such data
- Perhaps combine/ simplify where the data is stored
- Take security measures
- Update your website/ email newsletters/ etc
This needs to be done by May 25th and some steps may take more than a couple hours to complete, so please don’t leave this to the last minute.
This is long-overdue and generally a good thing. Indeed, if you were sort of up to speed on the Data Protection Act 1998 then this will mostly feel like version 2.0, updating it for the modern age.
However, while aimed mostly at bigger companies (eg. the data processing social media giants) it does have a meaningful impact on all organisations, and a bit of a drain on smaller ones in setup terms.
For the most part we think this will clarify what ‘data’ is (not just digital!) and keep privacy high on people’s minds. Where extra care needs to be taken are things like mailing lists.