Like a lot of parents, I’m super busy and don’t have time to trawl the Internet researching a topic, let alone understanding it in my sleep deprived brain fug. So I’ve done the work for you, condensing topics down to the essentials you need to know plus more detail if you need it.
GDPR is something I’ve been putting off thinking about, but actually it’s pretty straightforward.
Here’s our easy guide to GDPR:
What You Need to Know
- General Data Protection Regulation (GDPR) comes into force from 25th May 2018
- Personal data must be complete, accurate and stored securely
- You must be able to quickly identify all data held about an individual, and delete it if requested
- Ensure that your policies are updated before the new legislation comes into force, and that you have rechecked consent where appropriate
In More Detail
(the word organisation is used to represent businesses, sole traders and other bodies such as charities)
Make sure that everyone who is involved with your organisation is aware that the new regulations are coming and will be legislation from 25th May. Don’t leave it to the last minute to ensure that you have all of the correct policies in place.
Identify all of the personal data that you already have, where you originally got it from and whether it is shared with anyone else. This includes data from sources such as email subscription lists, customer records and comments on blog posts. The easiest way would be to set up a spreadsheet to list out the data, the data source plus any sharing (for example sharing a competition winner with another company). At this stage, if you find that any of the data you have shared is incorrect, you must let the other organisation know, so that their records can be updated. You should ensure that any other organisations that hold data on your behalf, or that you share data with, are compliant with GDPR (for example, giveaway entry companies such as Rafflecopter or Gleam)
Update, or create, a privacy notice for your organisation, which you will provide to anyone you collect personal data from. This must include the identity of your organisation, how you will use their data, the time period you will retain the data for and the lawful basis under which you are processing the data (the most common being that you have asked for, and been given consent by the person). Importantly, you must also highlight that if individuals think there is an issue with how you are dealing with their data, they have a right to complain to the Information Commissioner’s Office (ICO).
Also review your data handling procedures to make sure that they cover the new rights set out by the GDPR. The key point here is that an individual can request to see all of the data that you hold which relates to them, and to have that data deleted. You must have an adequate system in place to be able to respond to these requests within a month. You must be able to prove that these systems are robust, if questioned by the ICO. You will have to provide the answers to these requests free of charge, and if you refuse to complete a request, the individual can complain to the ICO.
Consent becomes a very important concept under GDPR. It must be expressly given, specific and the individual must be informed at the time to what they are giving consent to. It must not be given as a condition for accepting something else, such as signing up to a newsletter as a competition entry. There must be a clear process for how consent can be withdrawn. If you are not sure whether the personal data you already hold has met these conditions, it’s best to recheck with individuals (such as emailing all subscribers to get them to confirm they are happy to remain opted in). Data items where the individual has volunteered their data, and it is not shared do not need to be re-checked (for example, comments on blog posts)
If you collect personal data from children, you will need to gain consent from an individual that has ‘parental responsibility’ if the child is under 16.
If you suffer from a data breach that will result in a risk to the freedoms and rights of individuals, (for example, it could lead to discrimination or damage to reputation) you must inform the ICO and in some cases, the individuals affected.
If you are going to be implementing any kind of new system which will impact on how you store and deal with personal data, you should carry out a Privacy Impact Assessment.
Identify who in your organisation will be the designated Data Protection Officer. This person should understand the GDPR and how this relates to the personal data held in your organisation. They will also be the point of contact for information requests and contact with the ICO.
The Information Commissioner’s Office is the regulatory body responsible for GDPR and has all of the regulations laid out on their website.
If there’s a topic you’d like a Busy Mum’s Guide To, let me know! gemma (at) mummyswaisted . co . uk