What is GDPR?
Note: this is a guide only and does not replace any legal advice for your business.
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. We look at what it is and why you need to be aware of the changes.
The GDPR is a regulation on data protection and privacy for all individuals within the European Union. In fact, it is not a completely new law but an update to the 1995 Data Protection Directive in order to reflect the world we now live in.
The changing ways businesses use individual’s data has been an especially hot topic recently. This new regulation aims to make data protection regulations more relevant and comprehensive in today’s world, in order to protect the privacy rights of individuals. The scope of the new regulation is broader and goes well beyond EU borders, which is good reason to ensure your business practises are up to scratch.
Who does it affect?
The GDPR covers any company and organisation, regardless of its location, handling personal data of anyone located in the EU. If you’re a business that collects, changes, transmits, erases, uses or stores personal data, including in an email marketing list, this law relates to you.
Making changes will result in greater trust, email engagement and better marketing, so it is also good for your business.
What is the purpose of the regulation?
The GDPR is designed to protect the rights of individuals around the use of their personal data.
The new regulation enhances these rights and includes:
- The right to be informed – your contacts are entitled to know what data you hold about them and what you are doing with it
- The right to be forgotten – your contacts can request that their personal data is deleted, and within a timely manner
- The right to object – a contact can object to certain uses of their personal data.
- The right to rectification – the right to request that data held by an organisation is corrected.
- The right of access – an individual has the right to know what data is held and processed by you and to receive a copy of the relevant data free of charge
- The right to portability – the ability to transport their personal data to another company.
In short, GDPR is the EU’s way of giving individuals, prospects, clients, contractors and employees more control over, and better access to, their personal data.
How does GDPR affect my business?
Even if you are not based in the EU, please consider, together with your legal department or advisors, whether your business will be in scope of the GDPR when using BOMA.
Data processing– Companies need to be open, fair and transparent about the processing of an individual’s personal data. As a business, you need to be prepared to tell customers how their data is being used and support requests for amendment or deletion. In most cases, you will not be able to charge an individual for accessing their data, unless you can demonstrate excessive processing costs.
- Assess and understand what personal data you hold
- Have a record of how you obtained it and why
- Ensure you have processes in place to respond to requests such as access and deletion
Get Consent – Where companies are relying on consent as the legal basis for processing data, they must obtain individual consent for every usage of personal data including sending emails. That consent must be both specific and verifiable.
Here’s what that means:
Specific: Consent must require affirmative ‘opt in’ action, so no pre-checked boxes. Be clear and unambiguous in your request and explain each purpose for which you will use the data.
Verifiable: This means keeping written records of when and how a person agreed to you processing their personal data, so that you are able to provide evidence of compliance for each case.
- Make sure you have consent from individuals to hold their information
- Communicate clearly and openly and be transparent about why you are collecting information
- Collect only the information you need, and only keep it for as long as you really need it.
- Keep a record of what the individual agreed to
- Inform individuals of their right to withdraw consent in each marketing communication
- Gain consent from existing contacts and data lists
Privacy by Design
GDPR regulations stipulate that businesses must build in data privacy ‘by design’ when developing new systems. You need to be able to demonstrate that you have considered and integrated data compliance measures into your data processing activities, including the consideration of the potential impact, so you can mitigate any privacy issues before they arise.
- Review your organisation’s internal processes to ensure they comply and privacy is paramount
- Make sure all your employees and co-workers understand the policies
Data Privacy Officer (DPO) – GDPR will also require some businesses to have a Data Privacy Officer to oversee internal compliance efforts – these include public authorities or organisations who activities involve systematic monitoring of personal data on a large scale. Even if you do not need a formal DPO, you should allocate a suitably senior individual to be responsible for data protection matters.
Some GDPR Terminology
Personal Data – any information relating to an identifiable living person including name, id number, online identity, location data or information about the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Controller – determines the purposes and means for processing personal data
Data Processor is responsible for processing personal data on behalf of a controller, but does not control the purposes of processing.
More Reading on GDPR
If you’ve not already started your GDPR compliance processes, we’ve written a guide on the key things you’ll need to do as an accountancy or bookkeeping firm. Read more
There’s more guidance on meeting your GDPR requirements and easy checklists on the ICAEW website and on the ICO website.
BOMA & GDPR
We’ve updated our Terms to reflect the requirements of the GDPR. To view our updated terms click on the links below