It’s been just over a year since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 was implemented.
A massive seismic shift for many companies (and not just the little man), it’s seen repercussions for even the big businesses with Google’s fine of $50 million and Facebook’s mind blowing fine of $1.6bn last October.
And with these data breaches still happening, most recently Microsoft’s disclosure to the ICO in April this year; it would be easy to take our eyes off the ball whilst the ICO still obviously have their hands full with bigger fish to fry.
But after all the hard work already put in, this is the key time to refocus and ensure that your hard won processes are still working and you are in good shape for either when we see more audits put in place or god forbid you have your own data security breach.
3 key points to remember are:
1. All personal data is affected by GDPR
– that includes the data of your customers, your staff, and any other stakeholders to your company. This can be everything from mailing lists to HR records, CCTV footage and ID passes. Anything that can be used to identify an individual person falls under the GDPR ruling and therefore must comply with the regulations.
2. Data usage must be explicitly outlined and audited
One of the key requirements of GDPR is the way in which data controllers (the companies who “own” the data) and data processors (the companies who “make use of” the data) outline to the data subjects – such as customers on their mailing list – exactly how their data will be used. This includes information on what information will be stored, for what purpose, and how long it will be stored. A great place to start with this is a full review of your company’s privacy policy. It is important to remember that the customer (data subject) will now have more power than ever before to obtain information on the usage of their data and even has “the right to be forgotten”
3. Consent must be clearly given and not taken
Do you still have an automatically checked “stay in touch” button on your online order forms? (hopefully not!). Under GDPR, this and many other common marketing tactics are no longer compliant with data protection. The consent of the customer (or any other data subject) for companies to store and use their data for marketing (or any other) purposes now must be given explicitly by the subject and a clear auditing trail should be visible for every data subject and their relevant consent. Should your customer wish to be “forgotten”, it is now mandatory under GDPR that you ensure that all data records relating to that person are permanently deleted (not just from your mailing list).
The ICO released this blog in May outlining their commitment to GDPR and the ongoing accountability of the security of information (https://ico.org.uk/about-the-ico/news-and-events/blog-gdpr-one-year-on/); so keep at it and stay safe!
