25 May 2018 is the day the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998.
As a business that handles and manages consumer data, we have been busy creating a roadmap of what we need to have in place for more than 12 months. But for a lot of businesses, there are immediate steps that can be taken to become compliant with the new regulation.
Opportunity for advantage
The first thing to note is that a technical solution is not the panacea; a piece of software won’t make you compliant.
It’s up to you to make sure that you know what your responsibilities are and understand what you need to have in place, such as processes and policies. Importantly, you must be able to demonstrate that you can comply with GDPR – i.e. you must be able to show that you are accountable.
Another important step is to gain buy in from the top of your organisation, so that the steps you will take are valued. If GDPR processes are seen as a box ticking exercise, chances are gaps will appear throughout the organisation that put you at risk.
Instead, look at GDPR as a way of acting responsibly and as an opportunity that could give you a competitive advantage.
Frequently asked GDPR questions
As a data-driven business, we are often asked by other businesses for guidance on GDPR preparation. So, in the lead up to 25 May, The Lead Agency’s compliance manager Kathy Fleming will be answering some of the burning and more common GDPR questions to help you with your preparations.
“We’re an SME with just over 100 employees – do we need to do anything about GDPR? Isn’t there an exemption?”
KF: If you handle personal information, then you have responsibilities under data protection law and the introduction of the GDPR doesn’t change this. GDPR places obligations on organisations to document and maintain records of their data processing activities. However, there is a limited exemption which means that if you have less than 250 employees, you only need to keep limited records. Don’t forget, you may be required to make the records available to the Information Commissioners Office (ICO) on request!
The ICO website has produced some useful templates that you can use for this purpose.
“Do we need to appoint a Data Protection Officer (DPO)?”
KF: There is a duty to appoint a DPO only in certain circumstances (if you’re a public authority or if you carry out activities on data that require large scale, regular and systematic monitoring, such as online behavioural tracking).
However, even if you aren’t required by law to appoint a DPO, you may decide to voluntarily appoint someone to carry out these tasks, or you may just decide to make someone responsible for making sure that data protection is given due consideration throughout your business. The consequences of getting it wrong can not only mean a financial penalty, but your brand and reputation may suffer too.
“What is the Right to be Forgotten and what does this mean for businesses? Do we have to delete records if an individual asks us to?”
KF: The Right to be Forgotten (the Right to Erasure, to give it the correct name) is not an absolute Right. Basically, it means that certain conditions must be met before an organisation has to erase data:
- If it’s no longer necessary for you to keep the data
- If you asked for consent to process the data and then consent is subsequently withdrawn
- If you relied on ‘legitimate interests’ to process the data and the individual objects, and you can’t prove that any over-riding reasons to continue processing it
- If the individual objects to direct marketing
- If you haven’t processed it lawfully in the first place
- If a legal obligation compels you to
- If the data has been processed in relation to data collected from children, especially processing of this information on the internet.
“What does the right to be informed mean?”
KF: If you collect personal data from individuals, you must provide them with certain information. This applies to employees as well as your customers and, generally, you should do this at the time you collect the information from them. One way to do this (especially if you are collecting information on line) is to provide easy and simple access to a Privacy Notice on your website. The information you provide should includes:
- Your name and contact details (including your Data Protection Officer if you have one)
- The purpose for processing their data
- What lawful basis you are relying on (consent, performance of a contract etc., etc.,)
- How long you are going to keep the information for
- What their rights are
- Who they can complain to
If you have a question, email it to email@example.com or post it as a comment on LinkedIn.