|
GDPR is coming
Don't bury your head in the sand
Be ready by 25 May 2018
GDPR - does it affect me as a practitioner?
Everyone is talking about GDPR, but do you know how it will affect you as a practitioner? Are you ready?
If you hold data in any shape or form - whether a database, an excel spreadsheet, a word table, an email contact list, or even a paper file - then yes it affects you!
Here's what you need to know about GDPR. (Note: you should consult your own legal advice to determine if you are subject to the requirements of GDPR - do not rely just on what you read on-line or even in this mailing).
What is GDPR?
GDPR is short for the
General Data Protection Regulation. It goes into affect on 25 May 2018. It was passed by the European lawmakers to create a harmonised data privacy law across all the EU member states (this affects every European member country - even the UK!). Its purpose is to:
- Support privacy as a fundamental human right
- Require companies that handle personal data to be accountable for managing that data appropriately
- Give individuals rights over how their personal data is processed or otherwise used.
What is personal data?
GDPR defines personal data as 'any information relating to an identified or identifiable natural person'.
The obvious kinds of information this relates to is name, address, email address, financial information, contact information, identification numbers, etc.
It can also mean things like an IP address, geolocation, browsing history, cookies, or other digital identifiers.
It also could mean information about a person, including their physical, mental, social, economic or cultural identities.
In short, if information can be traced back to or related in some way to an identifiable person, then it is highly likely to be personal data. You can
find out more about the GDPR here.
What rights does this give your clients?
From 25 May 2018 your client(s) will have:
- Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used.
- Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.
- Right to be forgotten: Individuals can ask to delete their personal data.
- Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.
- Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.
- Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.
N.B. These rights are not absolute, and limitations/exceptions may apply in some cases.
What you need to do before 25 May 2018
You will be a 'data controller'. You will need to set out the process of how you store information, whether this is on paper or on a computer, and how this information is secured.
Ensure that no un-authorised person has access to the data and anyone who does access it knows about GDPR and how to treat the information.
More information about your use of personal data must be communicated to your client(s). Make it clear what information you are keeping, for what purposes, and for how long.
Ensure that any sign-up forms (including on-line) include clear and specific language about all the possible ways you will be using your contacts' personal data. For example, you can set their expectations by adding additional language such as "We'll be sending you our monthly email newsletter, including the latest news about our events and new products, plus advance notice of occasional special offers."
Make sure your consent to keep data is opt in rather than opt out i.e. I give permission for my data ...... And not, untick to remove permission (opt out).
Review how you have collected your data to date. Was it fairly obtained? Did everyone consent to you having the data and being contacted by you? Did they know what they were signing up to?
Put in place your 'right to be forgotten' process by which you will destroy all data should someone request this.
Don't forget that local country data protection law may have additional requirements.
|
