In the 21st Century almost everything we do – keeping in touch with friends through social media, online shopping, exercising, driving, even watching television – leaves a digital trail.
The way our personal data is handled has never been more important.
The General Data Protection Regulation (GDPR) comes into effect on 25th May and brings data protection into the digital age. It is the biggest change in a generation and should give us all back control of our own information.
Any organisation that processes personal information – be it a multi-national bank or a high street hairdressers – will have a legal obligation to treat that information fairly and transparently. You must be able to account for what you do and explain how and why you do it.
You need to know, from the off, that personal information is anything that could identify a living individual (e.g. a name, email address, physical address, IP address and much more) and that processing includes simply storing that data. It is inevitable that any small business, charity or public sector organisation will be processing personal information and will therefore have to prepare for and be able to evidence compliance with the GDPR.
The GDPR gives people new rights. Together they give people choices about how their data is used, shared and stored. It’s good that you’re aware of the new law, are reading this and want to get it right, but there is no need to panic.
The Federation of Small Businesses and others are raising concerns about small organisations being less prepared. They generally struggle to know where to start, have less time and money to invest in getting it right, and can’t stretch to specialist resources like dedicated compliance teams or legal advisors.
But regardless of your size, if you hold personal information, the GDPR still applies.
Acknowledging there’s a new law is the first step. Next, undertake an audit (make a list) of the kind of personal data you hold. Think about why you have it, if you even need it, how you keep it secure, what you do with it. There’s more detail later about what you should consider and record. If you don’t need data you currently hold, get rid of it now.
In the future, you will need to clearly tell people what you’re going to do with their information before you collect it. And in the unlikely event the worst happens, know how to spot a breach and how to report it.
The GDPR is about commitment; it’s about putting your customers, contacts, residents and users first. If you adopt a mind-set that ensures you treat personal data fairly and transparently, compliance should follow.
The Information Commissioner’s Office (ICO) is the regulator in the UK and they have stated they will always look to educate, engage and encourage compliance. There are a lot of resources available on their website, including a Guide to the GDPR, to help you to help yourselves.
In our work with Parish and Town Councils we’re aware the ICO have stated they expect to see organisations working ‘towards’ compliance. So you need to make a start but perhaps not lose sleep if you don’t have everything completed by 25 May.
How will GDPR impact your business?
GDPR applies to every company and business. We’ve drafted a GDPR guide with more information on how GDPR will affect your business and what you can do to get prepared.