Q&A: How will GDPR affect your business?

GDPR, or the General Data Protection Regulation, is a modernisation of the existing 1998 Data Protection Act, and is set to roll out 25th May 2018.

Since 1998, the way data is shared and held has evolved. Internet use has rocketed and social media has changed the way personal data has been collected and even used.

With GDPR’s implementation just around the corner, we spoke to Dean Martin – data protection officer at Blue Wren – to ask just how GDPR will affect businesses, both locally and nationwide.

What is GDPR set to affect?

Everything and everyone.

The GDPR will affect all businesses, as well as providing extra protection for consumers. Nothing’s changed in the fact that businesses must continue to be ethical in the way they collect and process personal information, but the extent to which businesses control and document that data will be increasingly legislated and transparent.

In a nutshell, though, it applies to any personal data that can be considered a ‘personal identifier’.

What has changed?

The biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others and, ultimately, mitigate those risks. Consumers will also have stronger rights to be informed about how organisations use their personal data.

With the consumer’s right to erasure, they can request that you delete them from your mailing lists and businesses need to comply with that. On the other hand, employee records may need to be kept for several years, as legally defined for tax purposes and so on.

In essence, businesses now need to define retention periods and stick to them, be it for the needs of the business or for legal reasons. For example, you can only keep CVs for recruiting a specific position… once that position is filled they must be destroyed, unless otherwise stated of course.

How would a business obtain GDPR compliance?

Whilst I’m sure most businesses are already committed to protecting customer information, there are more practices that will need to be put in place. Keeping more records, producing more documentation, essentially putting policies in place to demonstrate that your business is specifically focussed on compliance.

And while there is the more encompassing red-tape aspects of GDPR legislation, it’s also the simple things that are heavily affected. Things like leaving confidential or personally identifiable information lying around, like contact details jotted down on notepads or Post-it notes during a phone call. They’re completely against the general principles of GDPR.

What are the GDPR principles?

Well, there are seven, if you include the business’ accountability. And you can’t just follow some; you have to stringently adhere to all of them.

Listing them: starting with accountability, your business must be able to demonstrate that it is working in compliance with GDPR. Therefore, appropriate documentation must be kept, keeping track of any permissions you’ve been granted or refused.

Next is to be lawful, fair and transparent. So, any data you collect needs to be done fairly and for a legal purpose. You can’t just collect the data without expressing why, you need to be transparent about how it’s going to be used.

The third is that it’s limited for its purpose. Meaning, it can only be collected for a specific use. To give you a dubious example: if you were collecting CVs, say, you couldn’t then retarget those people with e-shots later down the line simply because they’ve ‘technically’ given you their email address.

Another principle is data minimisation. When you collect someone’s data, it needs to be done in a manner that isn’t excessive for its purpose. So, if you’re capturing e-mail addresses for future newsletters, you wouldn’t necessarily need to know their home address.

Next there’s data accuracy, which is self-explanatory, really. But all data that you hold must be kept up-to-date and accurate. Similarly, the sixth is data retention, which alludes to the fact that data shouldn’t be stored any longer than necessary.

Finally, and perhaps most importantly, there is integrity and confidentiality. All data that you keep must be kept safe and secure. No leaving computers unlocked or passwords scribbled down in the back of books…

In a nutshell, everything must be done in such a way that only those people who have the express permission to access the information, can. And when they do so, it must be utilised in a way that has previously been agreed upon.

So, is there any further important GDPR information that you’d like to mention?

Loads, but not for a quick Q and A! I’d suggest that everybody – employee, employer or consumer – check out the ICO (Information Commissioner’s Office) guidelines on their website (linked here). Ensuring you’re compliant with everything on there isn’t an option, it’s an absolute necessity for you, your business and your customer.