GDPR 5 Minute Guide for Digital Nomads' Clients
What is GDPR?
The General Data Protection Regulation is a wide-ranging regulation designed to protect the privacy of individuals and give them control over how their personal data is processed, including how it’s collected, stored and used. It will be enacted in the UK through a new Data Protection Act, coming into force on 25 May.
What does GDPR mean?
Although GDPR might seem scary at first, many see it as a positive step forward for data protection. Some of the key areas GDPR covers are:
- personal data about individuals (absolutely all of it)
This includes your customers, employees, suppliers and any other individual you collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
- how you collect personal data
You can only collect personal data if you have a legal reason to do so. You might need it for a sales contract, for example. Or your customer may have asked you to send them some information on your product or service. In all cases, you must make it clear what the personal data will be used for – and only use it for that purpose.
- user contracts and terms and conditions (on websites, for example)
These need to be simple, clear and easy to understand – with no complicated legal text.
- the right to know
Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
- the right to erasure
Customers can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
- data portability
Individuals can request a digital copy of their personal data to use, however they like, including transitioning to a new service provider.
- data breach
You’re obliged to report certain types of data breach to the Information Commissioner’s Officer (the ICO is the UK regulator).
Brexit won’t affect your obligation to comply.
GDPR and data protection
It’s important to understand the spirit of GDPR. The legislation came into existence because of the way personal data has been treated in the past. Many companies treated personal data as a resource they could utilise without regard to the rights of individuals.
For example, some companies sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to adequately protect data against hackers.
GDPR gives control of personal data back to the people who own it and requires organisations to make data protection a core part of their operations and processes. This is likely to affect big, data-driven organisations first. But small organisations aren’t exempt. We’ve set out some steps below that you can take to make sure you’re prepared.
Does GDPR affect data security?
Data security is a big part of GDPR. If you process personal data you have a duty to keep it safe so it’s important to ensure that any personal data held by you is securely stored.
You will need to think about encryption. Password protection does not encrypt data which is easily recovered from devices without encryption. The ICO have already fined individuals and organisations where unencrypted laptops or other computer equipment has been lost or stolen.
GDPR also governs where you store personal data, and what safeguards you must have in place in order to store and process that personal data outside of the EU. For example, if you’re transferring personal data to a US-based company (that will store it in the US), you should check they have a Data Protection Addendum in place. This is required under the GDPR (Processor Terms) and should incorporate standard contractual clauses for controller to processor transfers of personal data from the EEA to a third country.
Summary of GDPR
There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – that means treating it as you’d treat something valuable of your own. Some initial practical steps you can take to get GDPR compliant are:
Check products and services
- Check which of your products or services collect and process personal data.
- Ensure you have a legal basis for the processing of personal data.
- Ensure you can comply with the obligations to your customers as set out in the GDPR (such as the right of access and the right of erasure).
Review notices and contracts
- Update your internal and external notices for GDPR compliance.
- Ensure your customer contracts are GDPR compliant.
- Make someone in your organisation responsible for data protection and privacy.
- Consider whether you need to appoint a Data Protection Officer – check out the ICO’s guidance for more info.
- Provide data protection training for staff.
Take care over security
Ensure systems that collect, process and store personal data are secure. Implement encryption. Consider the security of data saved to cloud based solutions e.g. Dropbox, Google Drive, One Drive etc.
You can get useful information on GDPR from:
- The UK Information Commissioner’s Office (ICO) – 12 steps to prepare for GDPR.
- The Federation of Small Business (FSB) – How to prepare for GDPR.
- Data Protection Network
- Virtual Session: GDPR without the Hype
- How to create best practice privacy notices (with examples)
- When and how shall a privacy impact assessment be run?
You should also consider seeking professional advice to ensure you are compliant.