The GDPR regulation will apply to any company that processes EU residents personal data, that includes the UK despite Brexit. Both controllers – the person/company collecting the data and processors – those actually processing the data, will have to comply to GDPR rules. This also applies to organisations outside of the EU, if they process EU residents data.
Once the law comes into effect, companies must ensure:
- All data process is lawful, fair and transparent – individuals must be aware of why a company possesses their data and what is being done with it
- Their data is used for the process it was collected for only
- Data is only collected if necessary
- The data kept must be up to date and destroyed if it is no longer needed
What is personal data?
Everything that is currently seen as personal data under the Data Protection Act will still qualify as personal data, along with online identifiers including IP addresses as well as economic, cultural and mental health information.
How to achieve consent under GDPR?
Consent must be a positive action by an individual, rather than secondary acceptance such as tick boxes. Pre-filled in tick boxes will now have to be manually clicked by an individual. They must also agree that they are happy and understand the data possessed on them and how it will be used. A double opt in email is the most effective way to be sure you have achieved consent in a GDPR compliant manner.
A record must also be kept on how an when consent was given, along with the ability for individuals to withdraw or update their consent if and when they desire.
Individuals rights have changed too
Under the new GDPR law, every individual will have the right to access any information that is held on them by a company. They can also be informed of why the data is being processed, how long it is being stored for as well as who gets to see it. In conjunction with this, access request rules have also changed, there is currently a £10 charge to retrieve personal data, however this will become free when GDPR comes in. Individuals also have the right to remove or export their data, if they wish.
How to avoid pulling a Facebook aka a data breach
In order to demonstrate you are complying with GDPR, it is recommended you document everything you do with any data from how it is collected to what you are actually doing with it.
IT security is also something to be considered, for example data on dropbox, mobile phones and computer documents, therefore password protection is imperative.
What if there is a breach?
If you believe there has been or may have been a breach, for any reason, you must inform the Data Protection Authority within 72 hours of becoming aware of it. Having records documented will help is a breach occurs.
Gaining consent for Marketing
For email marketing, collecting data with a double opt in is a great way to prove GDPR consent. A double opt in includes an extra step in confirmation verifying the email address and makes an individual completely aware of their sign up. This confirmation must also be securely stored, in case it ever needs to be retrieved at a later date.
Consent is also not for life, it is now law to check every 2 years that contacts are still happy to give consent to receive emails and for their data to remain stored.
If you are collecting data from a third party, you must also ensure this data has been gathered in a way that is GDPR compliant. The individual must also be aware if their data is being shared with other parties.
Therefore, if you currently hold any data from individuals that have previously been given, you must decide if this has been collected in a GDPR compliant way. If not, you will need to obtain the consent again, in a GDPR compliant way.