15 May GDPR – Get the gist for busy people
At Hidden Media, we thrive on exciting projects and working with changemakers, movers and shakers.
Compliance and legislation are terms that make us visibly shudder. It’s not that we sail close to the wind (well we are sailors, so sometimes it’s inevitable) but forgive us for stifling a yawn, or many, when faced with reading the EU General Data Protection Regulations (GDPR).
Granted, the 1995 EU Data Protection Directive, needed updating and we’re all for improving the rights that EU individuals have over their data, but the problem is, it’s so incredibly boring.
By all means, dive into the full GDPR report here. But with nearly 100 articles to digest, you best set aside an entire weekend.
If you’re like most ambitious, busy business people that would much rather get the gist of what it’s all about, we’ve saved you the tedium of reading it all yourself with our little guide to GDPR below:
In a nutshell
- Be lawful, fair and transparent.
- Collect only the data that you actually need.
- Retain as little personal data as possible.
- Ensure all personal data is accurate & kept updated.
- Do not keep data for longer than you need it or are consented to hold it.
- Keep all personal data safe & secure.
- Be prepared to demonstrate that you’re undertaking points 1 to 6!
So what data can you hold?
The main principle of GDPR is that You must have consent to hold data – don’t rely on assumed consent, unless your contact has explicitly ‘opted in’, they have effectively opted-out. All opt-ins must be made clear and can not be tucked away in small print. If the data owner is younger than 16, you need parental consent.
But that’s not all, you must now either:
- Have a practical reason to hold the data.
- Have a legitimate reason to process it.
- Have a legal obligation to use it.
- Process data to protect the data’s owner or another individual.
- Process data because it is in the public interest.
There are now some types of data that you are forbidden from holding. These include any data that concerns:
- Ethnic or racial origin
- Political views or opinions
- Religious or philosophical beliefs
- Trade Union membership
- Genetic or biometric data for the purpose of uniquely identifying someone
- Data concerning health
- Someone’s sex life or sexual orientation
- The data owner has given specific consent
- It’s related to employment or social security
- Processing the data would protect the data owner
- You’re an organisation that directly relates to one of the above & the data owner is regularly involved with you
- The data is for the public record, and the data owner is aware of this.
- The data is for use in court or another legal reason
- The data would meaningfully impact public interest
- The data would be used to help in medical research
- The data would help to preserve freedom
- The data would be used for historical purposes, e.g. in an archive
If a contact, customer or client requests to see their data, you must provide it to them freely, in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. The only exception is if you have a valid reason to believe that they are not the person that they say they are. You are permitted to request proof of identity, and of course, under your obligations to keep people’s data safe and secure, you would be well-advised to do so.
If requested, you must provide data within one month, after which a formal complaint may be lodged against you.
The right to be forgotten
If someone requests that you remove their data, you must do so. They have effectively withdrawn their consent and you must no longer process their data and ensure that it is securely removed from your system.
You must also remove any data when you no longer have a valid, practical, legal or legitimate reason to hold it.
In certain circumstances, an individual may request to restrict how you use their data:
- If they believe the data is inaccurate
- If it’s being processed unlawfully
- If they don’t want their data erased
- If you no longer need it, but they still require it for use in a legal context
In the case of erasure or restriction, you must let the owner know when their data has been erased or restricted.
Don’t sit too smugly just yet – you may already comply with all of the above, but is your data secure?
If your data is held with a big company like Mailchimp, Hubspot or Sendible, then they will have their own security and encryption policies and methods in place.
If you are holding data on your own systems you must make sure that:
- No data is traceable to the data owner – the technical term for this is ‘pseudonymisation’.
- All data remains confidential
- You can quickly recover any data if there is a disruption to your system
- You can test your data security procedures/systems
- Anyone with access to data has the right to use it & is using it for the right reasons
All data breaches must be reported to the ICO within 72 hours of discovering the breach. You will have to inform the ICO of various things and you may have to declare the breach to all those whose information has been leaked. With fines of up to €10,000,000, if you find yourself in this position, it’s time that you read the GDPR report for yourself!