Today sees the long-awaited enforcement date for the General Data Protection Act (GDPR) which businesses have been preparing for since April 2016, when the law was first published.
GDPR sees a huge change in the way businesses store and use personal data, with the emphasis changing to one of explicit consent from those to whom the data relates (the data subjects). Businesses must now be more responsible for the way they use personal data too, needing lawful reasons for both the collection and processing of such data.
This new law is great for consumers who have historically been bombarded with marketing material for products/services which they may or may not have any interest in, or have had their emails associated with mailing lists that they hadn’t signed up for.
GDPR will also be good for businesses in the long run too because their mailing lists are more likely to contain engaged customers, resulting in greater conversion rates. However, in the meantime, there is a lot of work to do for those who haven’t prepared for the changes.
To comply with the new GDPR; the Information Commissioner’s Office (ICO) advise the following:
- Document what you collect – A large part of GDPR is about ensuring you don’t collect personal information that you don’t need. To prove that this is being done you need to document what you collect and from where, as well as who you share it with. The GDPR outlines a number of lawful processing reasons that you should apply to your processes to help you justify why you are collecting and using personal information.
- Align your procedures with the rights of data subjects – GDPR provides data subjects with more rights, one of which states that they must provide consent before you can hold and use their data. Therefore, you must ensure that you have procedures in place which respect these rights and which you can fall back on should you need to prove this.
- Communicate your policies – It is important that you review your current privacy policies and align these with the GDPR. You should then make these available to the public, to inform them about what data you keep and why.
- Data protection and breaches – An important part of being a responsible data processor is the protection of that data. You must, by design, have processes in place to protect information from unauthorised access. And in cases where those protections fail, you must be able to detect, investigate and report back on what happened.
- Data on children – If your business handles personal data belonging to children, special measures must be put in place to obtain the permission of their parent/guardian.
For more information about the GDPR, the Guide to General Data Protection Regulation website from the ICO goes into specific detail about the law and your responsibilities under it.