Are you ready for GDPR?
The new General Data Protection Regulations or GDPR become active in the UK in May 2018. Many businesses may well not be prepared or fully understand the implications of the regulations. If not, its time to get reading (please note the below is offered as advisory information and not as legal advice).
What are the new regulations?
The GDPR is designed to empower us as members of the public to have full control over the way that businesses use and process data. The data subject has various rights regarding their data and these include:
- The right to have their data corrected - if your name is constantly mispelt you can request it to be changed. More seriously - if you have a negative black mark against your credit score which is an error then this should also be changeable
- The right to have your data removed - if you want your data removed from a companies system then you are able to request it and unless there is a good reason why not, the company must oblige.
- The right to have data made inactive. If for example you don't want to get monthly emails you may wish to "pause" them rather than completely unsubscribe. The new regulations would enable this.
- The right to have their data. Data subjects are allowed to request a copy of the data you hold about them and you are to supply it!
- The right to object to your data being processed. This relates to automation and profiling for example.
What is personal data?
The regulations define personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;".
Here are some things to consider:
- I only hold data about businesses. Great - but what if they are sole traders? They can be easily identified by their name
- What about my customers? The regulation states that the controller can have "legitimate interests" and also hold data "necessary for the performance of a contract". In this case you are still obliged to tell the subject you hold their data.
- What about emails? I think this is an interesting one and an area to watch. You send me an email from firstname.lastname@example.org - is that personal data? If so (even though you have legitimately given me the message) can he then request that it be removed from my system?
So what does this mean for my business?
Any business needs to ask a number of questions - from there you may need to respond in certain ways.
- What data do I hold about my customers?
- Is it accurate?
- Is it accessible (to me - i.e. if they want it can I easily get it?)
- Is it still required? If not - contact the subject and advise them you intend to remove their data and perhaps as a courteousy - here is a copy of it
- Am I legally obliged to hold this data?
- What terms and conditions do I provide my clients and are they clear and easy to understand? In future any data storage process requires you to tell clients upfront what you will do with their data. This includes how long you plan to store it for.
- Do I process data about children or vulnerable individuals? If so extra special care has to be taken regarding their details.
- How secure is my office, my PC, my laptop which stores the data in question?
- Does my data ever leave the UK/EU? Are you hosting a website with data capture in America for example? If so this needs clarification.
- Data backups - if someone asks to change their data you will need to be able to amend all copies you hold - this includes backups.
What happens if something goes wrong?
Lets say someone comes to you and asks for a copy of their data. You are obliged to respond within a timely manner (a month max). Should you not wish to do that then the subject may approach the Information Commissioner.
Much hype has been made about the GDPR fines which can run into the millions but this seems only likely to be a problem where the relationship between the data controller (the business) and the data subject (the individual) has broken down - i.e. the business refuses to respond. Alternatively if there is a significant breach (i.e. your office is burgled and you lose 20m peoples records) and it can be shown you didn't secure your data sufficiently then you could well be fined.
The key is to look at the data you hold in advance to make sure you would not be liable.
As with many regulations there will always be grey areas. It means that the realm of data protection needs to be monitored for when they suddenly become black and white! One example is IP addresses. I won't go into details here but a recent German court case could provide clarification but it wasn't at a European level - something we need to be monitoring.
Wherever you are on the brexit divide unfortunately this won't be stopping the GDPR come into force. The reason being is that the ICO are actively supporting it and were we to withdraw would become external to the data area where data can be shared legitimately. Brexit won't be stopping the regulations any time soon.
What HWS do and offer
Here at Hatton Web Solutions I am very aware of the impact that the GDPR will have. As such a project undertaken with me will raise a number of questions - potentially the intrusive ones above - prior to starting a project. Do you need to hold the data? What happens if? HWS would be considered a data processor - and specific rules apply for us within the GDPR. For example if your project lets me have 20,000 email addresses I would break all the rules by then "borrowing" them (EVEN with your blessing) and contacting them directly. Although I cannot offer legal advice I am happy to advise where I can.