With the General Data Protection Regulation (GDPR) deadline of 25th May 2018 quickly approaching, if you haven’t already, you need to start preparing your business. GDPR is likely to affect all businesses with clients. If you are not already familiar with this regulation, please visit our GDPR- How will it affect you? Article for more information. GDPR can sound daunting and complicated at first but it is important to understand its regulations in order to become compliant.
We have put together this guide to give you a helping hand with preparing for GDPR:
If you have a legitimate interest to process information you need to be able to prove this interest and check that this is the most appropriate lawful basis for processing.
An example used by the ICO of a legitimate interest is:
‘A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – ie to recover the debt.’
When gaining consent to hold and process personal information you must explain how the data will be used, why it will be used, who it will be passed on to, how it is stored and how long the information is stored for. If you did not previously explain these things when obtaining people’s consent then you will need to renew your policies to avoid any penalties.
Contact forms should be clear and information must not be hidden in small print. When asking for consent the form should be designed so that users are able to choose exactly what they consent to, a general ‘I consent’ checkbox will not meet GDPR requirements.
Ensure that you keep a record of any consent given including when and how consent was obtained. You must renew consent every 2 years.
Data from Third Parties
When receiving data from third parties you are responsible for ensuring that it is GDPR compliant. To check that this is compliant you could; Ask how the data was collected, ask where consent was obtained from and for proof of this, ask if data has been screened against the telephone preference service or mailing preference service and ensure that your company name was was given when data was collected.
You need to be able to demonstrate why you have collected personal data and give people the opportunity to object to the processing their personal data. To demonstrate that you are compliant, you must be able to prove that you have informed the individual how you are using their data and why.
Unsure whether you should process data?
There are 6 lawful grounds for data processing, if your are not processing for one of these reasons, then you are not compliant:
- Processing of data necessary for the performance of contract
- Necessary for compliance with legal obligation
- Necessary to protect vital interest
- Necessary for the performance of a task carried out in the public interest
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden
So what do I need to do when collecting data?
Whatever reason you have for processing data, you must ensure that the individual whose data you hold is aware of your company name and contact details. You need to inform them why you are processing the data and which third parties their personal data will be passed to, including reasons why. Inform them how long the data will be held for and exactly what it will be used for. You must explain the right to complain to the local supervisory authority, this is the Information Commissioner’s Office in the UK.
CCTV is a must for some organisations to enhance security or for health and safety reasons. If you are using CCTV it is important that you are aware of what you need to do to be compliant. You must be able to justify your reasons for using CCTV and take into account the area which your CCTV covers. Clearly show signage to show that CCTV is in operation so that people are aware that they are in an area which uses CCTV. You will also need to look at the length of time that footage is stored, this must be reasonable and include this on signage so that people are informed.
If a breach occurs, you must report this to your local supervisory authority within 72 hours. You may also need to notify parties of the breach. Failure to report a breach could result in penalties.
Don’t wait until the 25th May deadline to become compliant with GDPR, this is the date that the legislation will come into force, so you must be compliant by this date. Taking all steps to prepare now will mean that you are already compliant by the time of enforcement and will avoid penalties.
This article is not legal advice. You are advised to visit your local supervisory authority for full details on GDPR.