Do they fill you with a scary mixture of fear, dread and panic, or are you not quite sure what they stand for? Judging by the conversations I have had recently, and the radio phone in I heard a few days ago, most people currently fall into one of these two categories. Whilst the negative emotions are not a good feeling, at least they mean you’re on board with it, and you know that this acronym stands for the General Data Protection Regulation, and that they come into effect on 25th May 2018. Whilst you might not be fully prepared yet, you know that you have to be, and that might not be half the battle but it’s a good way toward it.
If you didn’t know what GDPR stood for, or only had a vague idea, and you are involved in any kind of organisation that deals with information about people, then you really need to start looking at this straight away.
There are a lot of false rumours circulating about GDPR, who it affects, and what everyone needs to do. In summary, these regulations seek to ensure that everyone has greater control over their personal data and how it is used including enhanced rights in relation to erasure and portability. It gives you more control and transparency over your personal information including who sees it, how you can access it, what organisations do with it and how long they retain it for so as to ensure they only use it for lawful reasons.
Personal data includes information about your name, address, email, date of birth, national insurance number etc. Criminal Records data and sensitive personal data, (now called “Special category data”) has to be looked after even more carefully, and this could include information about your religion, health, sexuality or political allegiances. As a professional services firm, we have always been aware of the need to treat your information with great care, and of course we have a duty of confidentiality to our clients. That doesn’t mean, of course, that we don’t need to do anything to ensure compliance, and we are currently checking that our policies and procedures are up to date with the new requirements. Some other businesses though are finding this a bit more of a transformational task, and if that is you and you have not taken any action, you need to start thinking about it straight away.
There are a lot of questions and myths out there. These are some I have heard personally, and which I will try and respond to:
“If this is a European law, then it won’t apply to us after Brexit….”
Wrong. Yes it is a European regulation but it still applies and is being adopted into English Law. Even after Brexit, the likelihood is that most of us will have dealings, directly or indirectly with other organisations within the European Union, and the rules will therefore apply.
“I have heard it doesn’t apply to small businesses so I’ll be ok…….”
Wrong. It applies to everyone who controls or processes personal data. That includes not only commercial businesses, but also charities, and voluntary organisations, such as sports clubs. Everyone has to understand the procedures and ensure they have policies in place to deal with them.
“I can just ask people to opt-out if they don’t want me to contact them or use their information……”
Wrong again. Whereas in the past you would see those tiny boxes on forms saying you could tick to opt out, now you may have to actively opt-in if you want to receive information. And once you have done that then you should always be given the option to unsubscribe or opt-out again.
“If I say I want all my data destroyed you have to do that straight away.”
That’s wrong too. Yes the new rules give you the ability to invoke the “right to be forgotten” and ask for your data to be destroyed. In many cases it can be. However if it has to be kept for legitimate reasons including statutory or regulatory reasons, then they have to be complied with too. For example, if you are dealing with us, the Solicitors Regulation Authority dictate that we keep your case file for a certain length of time, depending on what type of matter it is, but for a minimum of 7 years, and we have to abide by that even if you say you want your file destroyed.
“As a business, I have to contact all my customers, and get their consent to use their data.”
That’s actually wrong as well. Yes, in a lot of cases, such as when you sign up for a mailing list, you may need specific consent, but it all depends what you need the information for, and what you are going to do with it. To take another example from our work, if I am dealing with a personal injury claim for you, I need to collect certain information to send to the defendants, including your date of birth, national insurance number, and other details. I don’t have to get you to specifically consent for me to send this information off to them, as I can’t deal with your claim without doing this. I have a legitimate interest which enables me to process your data in this way.