GDPR: What you need to know – part 2
Some more pointers to help with the May deadline
General Data Protection Regulation (GDPR) will come into force on 25 May 2018, to better protect our personal data.
If your business holds the personal data of staff, customers, suppliers and other business contacts, you’ll be affected.
Hopefully, you saw our GDPR – part 1 blog. If not, just click here for guidance on preparing for the 25 May deadline. If you’ve got the part 1 pointers covered, it’s time to move on. What else do you need to think about? Let’s begin.
I’ve got a right to know
Once you’ve looked at and revised your privacy statement, it’s time to think about subject access requests. Don’t worry, it’s not as complicated as it sounds. Individuals can already ask an organisation what personal data it’s holding. The organisation is required, by law, to tell people but it’s likely to charge for the privilege.
Under the new GDPR laws, if a request comes in, you have a month to respond, rather than the previous 40 days.In most cases you won’t be able to charge individuals for complying with a request.
To make sure you comply with the revised rules, allemployees dealing with these requests should understand the changes. You might also want to create or update template emails and letters, so responses can be given quickly.
Do you really need to collect this data?
You should identify the lawful process of handling the data you collect. Could you reasonably achieve the same purpose without processing the data? If so, you won’t have a lawful basis to collect and use it.
Under the new GDPR rules, you’ll need to outline your lawful basis for processing personal data in your privacy statement. That’s the thing we talked about in part 1. You’ll also need to state lawful basis when you answer a subject access request. That’s the thing we mentioned above.
Have you got consent?
Just because someone didn’t say they didn’t want you to hold their personal data, it doesn’t mean you can. There is a great checklist on the ICO website which gives more information on the changes under GDPR.
Some highlights to wet your whistle:
- Consent information needs to be kept separate from other terms and conditions.
- Pre-ticked boxes are no longer an option.
- You need to keep a record of what people did or didn’t sign up for.
- People need to be told they can withdraw consent too.
What about the children?
New rules will mean that for the first time there will be special protection for children’s personal data, particularly for social networking. If you offer online information servicesto children and need their consent to collect information about them, you may need a parent or guardian’s consent first.
That’s all folks (for now)
Stay tuned for more guidance on the 12 things you need to do before the GDPR deadline on 25 May.
Regular visitors to the THP blog may have seen our earlier posts about GDPR. A non-boring guide to GDPR and 12 things you need to do before 25 May. These give a great (not that we’re biased) overview of what GDPR is and how it will affect your business.
Don’t forget, THP also needs to be fully compliant by 25 May 2018. If you’d like to know how we’re working through this, speak to your local THP contact with officies in Wanstead, Cheam, Saffron Walden, Chelmsford, and London City. . Maybe you’ve got some ideas we could borrow too.