GDPR fundamentally affects the way businesses gather, hold and process personal information.
The rules apply to every business that holds personal data on EU citizens. The penalties for noncompliance are severe, so if you haven’t already taken the necessary steps it’s vital to act as soon as possible. GDPR is essentially a beefed-up version of the Data Protection Act. The objective is to keep personal data safe and prevent businesses from misusing it. It boils down to what data you hold, whether you should have it, what you’re doing with it, and whether it’s securely stored. The new rules also enhance the right to be forgotten and the right to correct personal information held by a business.
The other main changes are the requirements to have written policies and procedures and to keep records covering matters such as data breaches and requests for access to the personal data you hold.
GDPR is concerned with any data that is ‘personally identifiable’, so anything that can be linked to a ‘natural person’. This includes names, addresses, contact details, IP addresses and bank details. If you haven’t already, you’ll probably need to undertake a ‘data audit’ to understand what information you hold is covered by GDPR, and where it’s kept. This includes data that your business captures about your clients and the client data you might need to give to third parties. It’s important to remember this isn’t just electronic information, but physical records too.
You also need to establish whether you should be collecting and holding the data in the first place. If you’re holding personal data, you need to tell clients what you’re holding, and what you’re going to use it for. This also extends to employees of your business as you’ll probably hold plenty of personal information on them.
There’s often a legal obligation to hold data for a certain time, but after this period you need to think about whether you have a valid business reason for retaining it. This may mean securely destroying physical records or deleting electronic files. You also need to make sure that the data you hold is secure, so you may need to look into secure emails and encryption, for example.
It’s likely that third parties, such as cloud service providers and other contractors, may be holding data that you need to protect. You’ll need to ensure that they also comply with GDPR.
You can only contact people if your marketing is targeted, proportional and relevant. This means being very careful about mailing lists. The days of blanket marketing to everyone are long gone.
Subject access requests
GDPR provides the right for a person to ask a business what information it holds on them and to destroy that information if they request it. There may be legal obligations for you to retain that information, which override this. You will need processes in place to deal with subject access requests as you must respond within 30 days and they can be very time consuming.