The EU’s new data protection regulations, known as GDPR, are coming into force on 25th May. I’m not going to go into detail because that’s been done elsewhere. But this article is intended to raise basic awareness of GDPR and point you to the relevant resources to help you become compliant.
Please also note that I’m having my own GDPR implementation day on Tuesday 1st May, I’ll take questions and try to guide you a little if I can on that day.
What you need to know
What is GDPR?
GDPR – the General Data Protection Regulation – is an evolution of the current data protection regulations. The rules apply to any organisation that collects and “processes” personal data about people: customers, clients, website users, pretty much anyone that your organisation interacts with.
The new rules already exist, but will start to be enforced from 25th May 2018.
The new rules are stricter than the old ones. They give organisations additional responsibilities over personal data they collect and use. And they give the people your organisation interacts with additional rights over their personal data.
Does GDPR apply to your organisation?
If your organisation collects and stores any information about people, then yes. This includes (but is not limited to):
- Having a contact form on your website
- Having comments on your website
- Running an eCommerce store
- Taking donations from people
- Running events where you keep details of attendees
- Having an email list
- Storing contacts on your phone
- Storing details of people in any kind of spreadsheet, database or even offline on paper
It even applies if you simply run a website and use website analytics as these can collect data that is personally identifiable – you may not even know this is happening!
What I’m doing
- Auditing all of the different places that I store personal data
- Checking agreements that I have with companies that I store data with are all correct
- Writing new privacy policies and client agreements so that people know what data I keep and process, why I do that, and where that data goes
- Ensuring that I can give people the correct rights over their data (the right to change it, the right to delete it, etc) and am able to respond to requests for personal data
- Ensuring my business systems and processes are adequate
- Ensuring my business security is adequate (it is!)
- Reaching out to clients to make sure they are aware of their responsibilities
So if you are a client or have hosting with me, look out for more information – please read my emails, they will be important!
And generally I’m having a bit of a mindset change. Before I was a bit of a data-hoarder – I wanted to be able to get stuff back if I accidentally deleted it, so I kept multiple copies of everything! I needed a really good reason to delete data.
But from now on I’m going change. Instead of needing a reason to delete something, I’ll need a reason to keep it. Delete will be my new default.
What you need to do
Hopefully you are at least aware of GDPR and working towards your own compliance. The main thing you need to do is to understand what your responsibilities are and then act on them. This might include (but will not be limited to) some or all of the following:
- looking at the Information Commissioner’s GDPR guide. It looks scary at first, but it’s actually well-organised, pretty succinct, and most important of all, it’s official!
- seeking professional advice if you think you need it (note that I am not a lawyer and can not give legal advice)
- thinking about all the data that you keep and where you keep it.
- thinking about what you do with people’s data
- informing people of what data you collect and process and where it all goes
- finding ways to give people access to their data and the ability to modify and delete it
- reviewing your processes and security around people’s data
- obtaining new “consent” from people to use their data if you don’t have it or if the consent you do have is not adequate
- making sure your staff that handle personal data are aware of their responsibilities
- and you probably need to be asking me: “Ross, what do you do with the data that I control that I pass to you?”
This all sounds really scary!
It is and it’s not. There’s a lot to get your head around, and some work to do, but once you understand the general principles it shouldn’t be too onerous. And it’s important to do it to keep the trust of the people that you collect data about.
The ICO has said “I want to reassure you that there is no deadline. 25 May is not the end. It is the beginning.” and their approach seems to be that they will help guide people to compliance rather than beat them with punishments from the outset”. I’ve heard of their approach referred to as “carrot rather than stick”. BUT…that is not to say that you can avoid action.
My GDPR Day
This is a bit short notice, for which I apologise, but tomorrow, Tuesday 1st May, I’m going to put all technical work on hold to focus on my GDPR compliance.
I will also happily take questions from people about it, if I have time. My answers will probably redirect you off to other sources of information, but if I can help you to get started with this then please email me or contact me through my website.
I need to say that I am NOT a lawyer, and nothing in this email or blog post constitutes legal advice and you can not hold me responsible for anything that happens as a result of any action that you take, or do not take, as a result of the information I have given. Implementing GDPR for your organisation is your responsibility, not mine. Please seek professional help if you need it.