The dark cloud of the General Data Protection Regulation, better known as GDPR is about to descend upon us. Have you got your umbrella of security and raincoat of compliance at the ready? Are you prepared for the hailstones of data protection? Hiding away by taking shelter unfortunately is not an option; but never fear, Johnathan is here with a summary checklist of what needs to be done by the 25th of May.GDPR is coming into effect, replacing the Data Protection Act 1998.
In effect, GDPR seeks to safeguard "personal data", which is defined in the law as follows:
"Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". (Source: Information Commissioners Office)."
Here are five things every startup company should know about GDPR:
1) Be aware.
GDPR may be the hot topic on everyone's minds, but there are still people out there who are uneducated on the fundamentals. Have meetings to discuss your GDPR operations with the various key decision makers in your company, ensure that everyone is on the same wavelength. The more you discuss the less of a burden it will be.
2) Know what personal information you collect and hold:
We all love a good audit, by conducting an information audit you identify the types of data you hold, who you share it with, where it is stored and how long for. This is essential when complying with the regulation as it requires you to document your processing activities.
3) Know peoples rights:
GDPR states that individuals have certain rights that should be taken on board when collecting, obtaining and storing personal data. These include:
- The right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability, and
- the right to object.
These rights are applicable to all elements of personal data, and apply to both customers, potential customers and employees. So it is important that you put processes in place to comply with this element of the regulation. For example if someone rings you up asking to have their details permanently deleted from your emailing system, do you have the appropriate steps in place to ensure this is successfully and efficiently completed?
4) Data breaches do happen:
Despite what we all tell ourselves, no one is perfect, we all do silly things and we all lose things. The Information Commissioner's Office understands that accidents happen; it's how you deal with them is what matters. Whether you misplace a memory pen or leave your laptop on a train, you need to assess the threat of the data breach and if applicable, report the breach.
I would recommend that you put a contingency plan in place in the case a breach occurs.
This contingency plan doesn't need to be over complicated, just list the procedures to report the breach. This covers you and can further restrict damage on the persons data.
5) You need an up to date Privacy Policy:
Do you have a Privacy Policy? If so, update it! If not, it's time to get started.
Establishing your company's Privacy Policy is going to be one of the most important steps you will need to take in becoming GDPR ready. There are plenty of privacy policy templates out there, one of the best places is the ICO’s website which breaks down exactly what should be included.
Below is an easy step guide to ensuring your Privacy Policy is compliant (and if you have done your audit it will be easy to complete).
- What personal information do you have? (Use the findings of your audit).
- What do you use the information for?
- Do you have consent or a lawful basis to hold an individuals personal information? (Gone are the days of pre ticked boxes, they now have to tick themselves).
- How long will you hold their data for?
- Will you share an individuals personal information with a third party?
- Individuals can access their data at point, give guidance how they can do this.
- Your privacy policy should be easy to read and to the point.
So there you have it, five things every startup company needs to know about GDPR, just remember, don’t panic, be thorough and make sure you dot your "i"s and cross your "t"s.
I am no expert on GDPR, but I have just been through the rigorous learning and preparation process and thought I would share some of the pain (and learnings). If you need assistance with GDPR I would recommend you speak to someone qualified to advise, such as a solicitor specialising in GDPR (I can recommend some if you need).
Best of luck !!!
