Welcome to the first part of a four-week series on how to comply with GDPR, the EU’s new rules on data protection. Week 2 is publishing today.
On 25th May 2018, every business in the UK must be compliant with new rules called GDPR. The rules have actually been around for nearly two years, so quite why us Brits are only hearing about it now is a mystery to me. It might have something to do with the GDPR being an invention of the EU, however, and this is really important:
GDPR COMPLIANCE IS NOT AFFECTED BY BREXIT
The rules apply to any data of EU based citizens or companies even if said data is held by a business outside of the EU. So get complying. Luckily, I’ve been working through an excellent online course and can help you not be scared of the big, bad, GDPR.
By now you’re probably sick of those four little letters, so here is what they stand for. GDPR means General Data Protection Regulation. Which isn’t that complicated when you think about it. The old laws on data protection needed updating as everyone is using digital these days, and the software outstrips the old laws. So GDPR is an easy way of clarifying the existing laws, not a shiny new thing. As with most data protection laws, it boils down to common sense. Over the next four weeks, I’m going to be sharing what I’ve learned from the University of Groningen’s GDPR course, to help you achieve compliance.
First up, the GDPR expects that all data collection software used by companies must have privacy options built in from the beginning. This is known as Privacy by Design. Privacy will be the default option and the aim is to prevent privacy breaches from occurring, rather than fixing the breach if it does. Examples of Privacy by Design include VPNs, encryption and authentication.
Technically, the GDPR applies to natural persons and not companies, however it would apply to members of staff of a company, so in this way company data is often covered.
The GDPR covers data processing carried out by computer or manually. But it does not cover activities carried out
– for national security
– to prevent conflicts
– to aid political cooperation
– to provide humanitarian aid
– in the home for personal reasons (such as keeping an address book of friends and relatives)
You do not have to sell a product for GDPR to apply. If your goods or services are given free of charge, you still need to comply with the rules.
GDPR applies to ‘any information’ including but not limited to a person’s name, gender, occupation, email address, and health, whether it is stored digitally or not. Any data that could be used to identify, whether directly or indirectly, a natural person, must be protected. These rights do not apply to anyone deceased.
Understandably, extra care must be taken with data categorised as ‘special’ or ‘sensitive’, to include; racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, sexual orientation.
The people in charge of data processing, including deciding how it will be processed and why, are known as data controllers. The people who actually do the processing, according to the controller’s wishes, are data processors. Processors that process the data on behalf of the controller must maintain a record of processing and ensure its security, but they do not have to implement other principles of processing as this will be done by the controller. If you are a self-employed freelancer like me, you get to be both controller and processor. Yippee!
The special term for natural persons whose data will be processed is a data subject. A Data Protection Officer (DPO) will be appointed by the controller to ensure compliance with GDPR, chosen for their specialist legal knowledge. As the DPO must have qualifications recognised by the GDPR, freelancers will most likely have to appoint an outside agency for this role.
To wrap up Week 1, the course set out the GDPR’s six main principles of data protection. These are:
1) lawfulness, fairness, transparency (be clear and concise, data subjects must know you are collecting)
2) Purpose limitation (only collect data for specified purpose, don’t use data for another purpose)
3) Data minimisation (don’t collect more than you need)
4) Accuracy (inaccurate data must be deleted ASAP)
5) Storage limitation (don’t store for longer than necessary)
6) integrity, confidentiality (Keep data secure)
A further principle of accountability means the buck stops with data controllers. If the controller does not comply with the GDPR, they are the ones in big trouble.
One final note, data subjects must freely give their consent to have their data processed and controllers must be able to prove consent was given. In the case of the minors under age 16, consent must be given by a parent or legal guardian.
I hope this run through was helpful to you in implementing GDPR at your business. This blog is based on my notes from Week 1 of this course, which you can join for free. I have endeavoured to make sure everything is accurate, but if any errors have occured, please let me know in the comments below.