Unfortunately, as with many new things, there are some grey areas which different ‘experts’ are giving different answers to leading to quite a lot of confusion! My personal view is that we won’t know the answers to some of these questions until the regulations are in place and there have been some example cases for us to refer back to.
Hovwever, the regulations are pretty clear about how they want people managing data (us!) to look after it. With this in mind I am taking the approach of carefully interpreting the regulations and applying them to my business in a way that I am confident I can explain and defend all the while putting my clients first. This is an approach I try to apply across all areas of my business so it doesn’t seem to much of a leap to apply it here.
Throughout this week I am going to share what I am doing about GDPR and why. Hopefully this will help you to make decisions for your on business. Here’s what I am going to be sharing…
- Overview of the Principles of the Regulations
- What is my starting point?
- Consent. What does this really mean?
- Keeping data safe. Simple steps.
- What I’m doing next.
Let’s start at the very beginning….
GDRP comes into force on 25th May 2018 year and affects all personal data held for EU citizens. This means that even if you are outside the EU, you will need to comply with the data if you have clients who are EU residents.
In summary, GDPR sets out the new Principles of Data Protection (Article 5) which protect Personal Data. It also defines 2 groups of people that will be interacting with this data.
Let’s start by getting really clear on what these things mean:
Personal Data = “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
- This will include names, addresses, invoices, notes about contacts, number of times they have opened emails and much more.
- The data can be held on paper or electronically
- Online identifiers are included in personal data (IP addreses etc)
There is also special attention given to:
Sensitive Personal Data which covers data that “processing could create significant risks to the fundamental rights and freedoms of the data subject”.
This includes things like:
- race;
- ethnic origin;
- politics;
- religion;
- trade union membership;
- genetics;
- biometrics (where used for ID purposes);
- health;
- sex life; or
- sexual orientation.
The 2 types of people (Article 5(2)) that can interact with the data are called:
Controllers “A controller determines the purposes and means of processing personal data.” (This would be the person making the decisions about what happens with the data)
Processors “A processor is responsible for processing personal data on behalf of a controller.” (This would be the person actually doing the processing.
REAL LIFE EXAMPLE: If you employ a Virtual Assistant to send out your newsletter then you are the data controller, deciding to use personal data (email addresses and names) to send the newsletter. Your VA is the processor, actually doing the work with the data.
Both groups are responsible for looking after personal data in line with the principles and as a small business owner it is likely that you will be both a Controller and a Processor depending on what you are doing within your business.
So what are the GDPR Principles?
There are 6 principles and they really aren’t that bad. Let’s take a look:
Personal Data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
In simple terms – you have to look after personal data in line with these principles (as well any other laws that may apply) and you must do it in a fair way that is clear to the people whose data it is.
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
In simple terms – when you collect personal data you and the person whose data it is need to be completely clear what you are going to be doing with. You can then do that and only that.
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
In simple terms – you can only collect data that is needed for the thing you are doing with it.
REAL LIFE EXAMPLE: Do you really need people’s phone number to send them a free download? No. Not relevant. How about for a workshop in case you need to cancel at short notice. Yes that seems very reasonable. See the difference?
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
In simple terms – you must be careful to ensure data is correct and if there are mistakes to correct them quickly.
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
In simple terms – you keep the data while you need it and you get rid of it (safely) when you don’t.
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In simple terms – all the data you hold is stored in a responsible way that takes reasonable measures to keep it safe.
See that’s not so bad is it? As with all these things though the devil is in the detail. Tomorrow I’m going to take a look at how I am getting started with making my business GDPR ready.
This information is not the same as legal advice, where a solicitor applies the regulations to your specific circumstances, so you must consult an solicitor if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this information as legal advice, nor as a recommendation of any particular legal understanding.