What Does GDPR Mean for Global Data Protection?
The General Data Protection Regulation is designed to standardise data privacy laws across Europe. The aim of this is to protect and empower EU citizens’ data privacy and restructure the way organisations across Europe approach the subject of data privacy and protecting personal data.
Personal data is anything related to an identifiable person. For example, a name, email, phone number, address etc. Just holding one piece of personal information about someone is classified as personal data.
Collecting Personal Data – You Need Consent
If you have access to someone’s personal data then you need to have had that person’s consent to be in possession of that information. This means affirmative consent that you can prove. The most important thing is to make sure you are abiding by the legislation and can prove it.
Make sure to track how and when consent was obtained, so if the regulatory body challenges your right to the possession of that data you have conclusive evidence on hand to prove you have followed regulations. Think about how your company is capturing consent and what methods you’re using to collect personal information from your customers and the people you deal with.
For example, if you have a contact form on your website you need to ensure you’re providing prospects/customers all the relevant information before they hit the ‘send’ or ‘submit’ button. It is good practice to show a link to your T&C’s, so people have the opportunity to read more about what they’re signing up for.
You must then make sure to offer the ability for people to withdraw consent. For example, if your company sends out emails, then make sure you add the option to ‘unsubscribe’ from the mailing list.
When it comes to collecting personal data, if your company has been importing lists or gathering data from other sources then this could be in breach of GDPR. This may be happening without you even knowing, so this is why it’s extremely important to check your company processes and make your team aware of what they should be doing to adhere to legislation.
Data is incredibly important for a business, but there are a number of things to be conscious of with GDPR on the horizon.
Providing access to personal data
Be aware that any individual can ask your organisation to provide access to the personal data you hold on them. Failure to reveal this information can result in prosecution. They also possess the right to ask your organisation to modify personal data if deemed inaccurate or even delete it if requested.
3rd Party Data Sharing
When you’re in possession of people’s data, it’s your responsibility to make sure it’s protected. It’s imperative that your company has sufficient security measures in place for the personal data you store and share.
Who are you sharing your data with? If you work with other companies and share your data, then you need to find out if the businesses you work with have the right controls in place. If you’re sharing data with a company that is in breach of GDPR regulations then your company can also be prosecuted.
Retention of Data
How long are you keeping personal data in your systems? Do you need the data you’re retaining? As a business, you need to seriously consider these questions and think about whether you need to purge your historic data. The best practice is to make sure your company has a process in place for the retention and deletion of personal data.
It is also important to consider how you acquired your historic data. Did the people you hold data on opt in? If they did not then you could be in breach of GDPR by holding this data.
Implement ‘Appropriate’ Security Measures
GDPR law means that you must make sure you’re protecting people’s personal data by using ‘appropriate’ security measures. ‘Appropriate’ essentially means you must prevent that data from falling into the wrong hands and if it does then your company is liable for the data loss.
In a world were online hackers are becoming ever more prominent this is certainly no laughing matter. Think about your internal processes. How do you protect the personal data you’re in possession of? If everything is just saved on a spreadsheet then this is arguably not a sufficient level of security.
If you’re in any doubt about the nature of your security methods then take the time to research and invest in a way to store data safely. Remember, when your company possesses someone’s personal data it is your responsibility to protect it.
What Should You Be Doing Now About GDPR?
The first thing to do is make sure that GDPR applies to your business. If you have any dealings with EU citizens, regardless of whether or not your company is based in the EU, then the regulations will apply.
The next step is data mapping. You need to be able to answer the following questions:
- What data do you have?
- What data do you collect?
- Who has access to the data?
- What was my promise to people I have data on?
- Do they know what data I have on them?
HubSpot use the phrase ‘Promise and Proof’. Before collecting personal data, people have to know what your promise is. What will you be using their data for? If you have promised it is for reason x then don’t start using their data for y. You must be able to provide proof that you are using that data in exactly the way you promised you would.
Pre & Post GDPR
It is important to be able to show what you were doing before GDPR came into force to prove that your business was taking privacy seriously, and then what changes you made post GDPR to improve your process. This will stand your business in good stead if you’re investigated.
Consent is Best Practice
It is vitally important to be aware of the implementations of GDPR and to start to putting the necessary procedures in place to make sure your business is operating in line with legislation before May 2018.
Consent is best practice. If you have access to personal data then that person must have consented for that to happen. It must be clear what people were signing up for by providing their personal data and your business must not use the personal data in any way other than what was promised in the sign-up process. You must then always provide the option to opt out.
Overall, your business must be able to prove to a regulatory body that if you have possession of a person’s data, they have given you permission to have possession of that data.