GDPR a moment of sensibility please or Don’t Panic Mr. Mainwaring!
Ok, so no doubt you have heard of the new General Data Protection Act which is coming into force on May 25th 2018 across the whole of the EU. Well if you haven’t may, I suggest a quick Google Search as it is not my aim to garble out the same old same old on the topic.
Managed to reach paragraph 2? Ok, firstly let me say that what follows in my opinion based on 50 years existence on planet Earth with the last 19 running my own business.
Part 1 – What is it?
Ok, put in simple to read plain English with no foggy bits:
GDRP aims to give the individual control over their personal data when interacting with a Company.
Really is that all? Well let’s get the main details into a few easy to read paragraphs…
When you gain individual information, you should be very clear to make sure the individual has given you consent to store their data. If you have to store their data (for instance if you are an online retailer and need personal data for the purposes of facilitating the transaction – let’s face it if you sell physical goods online you need a name and address right?) you need to let the individual know why you need this data.
In the gaining of individual data, you should also be transparent on how long you will store the data and what you will use if for. If you want to market good or services to the individual they must now opt in (well it’s been that way for a while and you have been doing that anyway, yes?) you cannot assume consent.
If you store data on individuals (irrespective of consent) you must publish how an individual can ask what data you have stored on them, how it was collected, how it is stored and how it is being used – and you cannot charge for this service, oh and you are also obliged to act on this quickly.
The individual can also request an Information correction if the data you store about them is incorrect. They can request the deletion of their data, a copy of their data or a request to send their data to a third party.
Pretty simple really?
Part 2 – Scaremongering
But, if it really was that simple why would companies be scaremongering other companies into complicated, unnecessary and extortionately expensive consultations just to work out what they need to do?
That really annoys me. Yes, there are great companies doing great work helping other great companies do a great job in making sure that they conform to GDPR – which by the way I do think is great.
I have had half a dozen consultations with prospective and existing clients who believe that GDPR is going to be an Armageddon, come on now no one can think rationally when under that degree of pressure, breath in, breath out..
Part 3 – What you should do, being a rational human being (or in GDPR parlance a Data Controller or Data Processor)
Be very clear – make sure you get the consent of any person who you gather data from to store their data, tell them what you are storing and why you are storing it. Additionally, let them know how long you will store it, how they can ask you to correct it and how they can ask for it to be deleted. You should also consider data portability, especially if you are accountants, lawyers or in the medical profession for instance. Portability probably won’t affect you if you are a clothing retailer as I doubt you will ever be asked (however if you are a tailor you maybe).
Alongside all of this you should record how you are recording the data, so where you have been given consent and how. Take screenshots, pictures on your phone or save documents. When you change these keep the old ones and version of the new.
If you document what you are doing, how you are doing it and what you are using the data for you will be fine. If you only ever use data in the way you have consent to use it (for example marketing purposes) you will be fine.
If you do none of the above, or buy marketing lists for which there is no consent present – well you could be fined…