The topic on everyone’s mind at the moment, and a conversation at most business events is GDPR.
The General Data Protection Regulation comes into effect on the 25th May 2018. You can read the full official document at https://gdpr-info.eu or read on for an overview.
We’ve found there’s lots of miss-information and scare-mongering that is making a lot of people and businesses worry more than they should.
GDPR is important, and shouldn’t be taken lightly, but it doesn’t have to be as complicated and scary as you might first think.
So, we’ve complied a few pointers to help bust some myths and get you planning for your GDPR processes (if you haven’t already that is).
The ICO (Information Commissioners Office) has provided a great handout to look through to explain what GDPR is, you can find that here – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Within this there are different levels of focus…
Awareness
Make sure all you team know how important GDPR is, and what new processes you are putting in place
Audit and Cleanse
What data do you currently hold on ay living individuals, do you still need it, and what can you get rid of that you no longer need? Do you have any data flows? Does one programme connect to another to link up data? This should be documented and refined to use only the data and processors necessary. Who are you using as data processors? Are they set for GDPR?
Access Requests
If someone request the info you hold on them, you must respond within 48 hours and cannot charge an admin fee
Consent
This is the biggie! Have you got the people on your databases consent to be there?
If you scraped their contact details from a LinkedIn contact database, this is NOT ok, if you took a business card off someone at a networking event and added them to your database without asking them specifically to do this, this is NOT ok.
If you were explicit that you were taking their details and adding them to your newsletter list and asked if that was ok, this is fine.
If you’re mailing list was single or double opt in and you have the info of when and from where they opted in (for example their IP address) this is fine.
The key quote from the GDPR rules are…
“Consent must be freely given, specific, informed and unambiguous.”
Policies
What do you currently tell individuals about how you use their data? Do these need to be updated?
After the GDPR comes into effect, you will need to set your newsletter lists to a double opt-in as standard. Most email systems are now offering tools to help you do this.
Here’s what the ILO specify…
“There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.”
Age of Individuals
If you work with children, you will have to ask for their age and can only keep their data if they are 16 or over. Anyone under 16, you must seek their guardian’s consent. We’ve noticed this recently with the online learning platform FutureLearn, who are now asking your age before commencing future activities.
Data Breech Processes
What is your plan if you have a data breech? You will now have a duty of car, however small or large your business to notify the ILO of any data breeches with particular types of data, and in certain circumstances, also notify all individuals involved.
Assigning a Data Controller
If you are a large organisation, or you deal with a large amount of individuals data on a regular basis, you must assign and promote a data controller and their contact details.
Data Protection By Design
This should be a plan that in future, anything new you set up, always has the data protection element in mind.
So to bust the 2 big myths…
“I’ll get fined” – Will you get fined under GDPR?
“Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.” EUDGPR.org
Basically if you try and make sure you are compliant, and if you have a breech you are swift to tell the ILO, you shouldn’t have any problems about getting fined.
“Do I have to start again with my email list?”
You don’t have to start again if you already have a well-consented database of contacts. It’s a good idea to re-remind those on your list if they still want to receive info from you, out of common courtesy.
“You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent” ico.org.uk
Here at DigiEnable, we have a very lean-data model we work to, so when looking at our GDPR compliance, we decided to start a fresh with our email newsletter list as a way of rebooting our brand too, if you’d like to double opt-in to receive our emails, please fill in our short form at https://www.digienable.co.uk/e-update (or fill in the box on this page)
Thanks – good to have a bit of simplification instead of trawling through the whole thing – I’m only a tiny arts org 🙂