With the EU’s new General Data Protection Regulation (GDPR) coming into full force on 25th May 2018 it’s vital that organisations are prepared and ready for the new law once it comes into effect.
Over the last few months at Red Balloon we’ve been helping our existing clients with compliance for the new laws and have a vested interest in ensuring readiness for the changes. If you require any support with GDPR or would like help in getting compliant please contact us.
GDPR, what you need to know
Data protection in the UK was governed by the Data Protection Act 1998, but this has been superseded by the General Data Protection Regulation (GDPR) enacted by the EU. These laws outline the restrictions on how – and what – data can be collected, stored and processed. They also outline how organisations need to act in the case of a data breach.
You can learn more about Data Protection law and regulations directly from Information Commissioner’s Office website. To ensure that your company is compliant with the updates to Data Protection you can use this checklist on the ICO website.
Rights of individuals
The data protection laws guarantee these rights for all people in the UK and EU:
- Right to be informed
Individuals has the right to know how their data is being used.
- Right to access
Individuals have a right to see what information has been collected and stored on them.
- Right to rectification
Individuals have a right to have their data corrected if it is incorrect.
- Right to erasure (or the right to be forgotten)
Individuals have a right to have their personal information deleted if they don’t want you to hold it any more.
- Right to restrict processing
Individuals have a right to suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it.
- Right to data portability
Individuals have a right to export their data from one location to another. Individuals can’t have their personal data locked into a single system.
- Right to object
People have the right to not give you their information unless it is absolutely necessary.
- Rights to automated decision making and profiling
Individuals have a right to have their data processed by a real person. Automated profiling requires express permission from the Individual and upon request it must be reviewed by a person.
Under the Data Protection Act 1998 these rights were different for people who were representing companies. This is no longer the case as of the GDPR legislation.
Legal Basis for recording data
There are eight lawful basis for recording data:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
- Special category data
- Criminal offence data
None of these are considered legally more important than any other, however the most common will be Consent, Contract and Legitimate interests.
For further information on the most common legal basis and how to get compliant for GDPR please download our free GDPR for clients document (Google Docs)
All data collected on your users and clients is your responsibility as the Data Controller, and it is important for you to understand your legal responsibilities. You need to familiarise yourself with the law and how this affects how you interact with any personal data you collect. For more information on your full legal responsibilities, please see the ICO website.
You also need to ensure that Data Processors you use, including Red Balloon, are upholding the requirements set out by the law.
For help ensuring that you are handling personal data correctly, please use the ICO checklist.
Creating a Privacy Impact Assessment (PIA)
As part of your responsibilities it is required that a Privacy Impact Assessment is undertaken. PIA should be undertaken before any data is collected (i.e. before a website goes live).
Where data is collected or stored on the website it is important to ensure that the PIA correctly reflects the process used by the system. This information can be provided by Red Balloon.
The PIA should be considered a living document. As updates are made to systems or internal processes you need to make sure that the PIA is updated to reflects this.
In the event of a Data Breach
As soon as you become aware of a Data Breach you need to report it to the ICO within 72 hours. See the above information on reporting a breach above.
Data Protection guidelines
- Only store information you need.
- Delete old or out of date information. Information should not be stored forever.
- Don’t require individuals give you more information than is absolutely necessary (you can still ask for more information however).
- Ensure that you are receiving explicit consent to record and use data. Users must be asked to opt-in, rather than opt-out.
- Don’t share or use personal data in a way that you don’t have explicit permission to do.
- Record when and how the permission was obtained. There is a burden of proof of consent for all data collected.
- Ensure that your records are adequately secured. User secure passwords and password policies. If you hold sensitive information then it needs to be securely encrypted.
If any data is lost or stolen, inform the Information Commissioner’s Office (ICO) within 72 hours.
We can help
If you require assistance in getting compliant with GDPR speak to Red Balloon. We’ve already helped multiple businesses get compliant and are diligently working with many others of all sizes to ensure compliance.
Red Balloon can help write your privacy impact assessment and ensure your website and data processing is up to scratch for the new law whilst providing consultative advice to ensure the smooth continuation of your own business. Contact us.