GDPR and your Business
The General Data Protection Regulations (GDPR) are a set of rules that are to become enforceable across the EU (including post-brexit UK) from the 25th of May 2018. GDPR builds on existing Data Protection Laws, ensuring that personal data is kept secure by a consistent, Europe-wide framework.
The main additions brought forward by GDPR can be broken down into the following points:
- Knowing your data: You should be aware of what personal data is kept on record (i.e. names, email addresses, bank details etc) and how this is stored. For example, data of a sensitive nature should not be stored in plain text on an unsecured device. You will need to ensure that any service providers (For example cloud storage from Dropbox, or emails from Google) are GDPR compliant.
- Consent: When gathering personal information from a client, you must be explicit in requesting consent – This can no longer be tucked away in small print or be “pre-approved” in the form of a pre-ticked opt-in tickbox. Consent should be as easy to withdraw as it is to give. Consent is also something that needs to be verifiable i.e. “User A opted in for mailing list via sign up form on website”.
- Access to data: Clients have the right to obtain confirmation that their data is being used, and a full summary of what data is stored. This information should be provided digitally, free of charge, and within 30 days.
- Right to be forgotten: Clients have the right to request that their personal information is removed at any point. This extends to any 3rd parties that data has been shared with, and again, must be completed within 30 days of the request.
- Breach Notification: In the event of a data breach, data processors have to notify their data controllers and customers of any risks within 72 hours.
By definition, a Data Controller is anyone who exercises control over data, deciding where and how it is utilised/processed. By extension, a Data Processor is typically a 3rd party service that is given access to data (For example cloud storage from Google Drive, or email marketing through Mail Chimp).
This article is not a complete overview of GDPR, but from a Tech perspective it contains what we believe to be the most relevant points for businesses to consider ahead of the enforcement of GDPR in May.