The rules about processing peoples’ personal data underwent significant change with the implementation of the EU’s General Data Protection Regulation (GDPR) in Europe. The law puts in place a uniform set of rules for processing personal data across the EU and beyond.
With stiff penalties for failing to comply, it’s important for any organisations that handle personal data are compliant with the rules. While we aren’t lawyers, and this isn’t substitute for qualified advice, we’ve highlighted 5 tips that could help get up to date with GDPR if you haven’t already.
A good first step to making sure you are doing the right thing with personal data is to take some time to think about all the different types of data you collect, what you do with it, and why you need it.
For example, you might have an email newsletter sign-up form. Think through all the information it is collecting, and why. Also think about other areas where personal data is being processed (which includes simply storing it). Staff HR data, customer databases, mailing lists: the list can go on, but once you know where you are, it will be easier to understand what you need to do to protect that data and comply with the law.
After you’ve got a good picture of what data you’re collecting, and why, you should think about whether it really needs to be collected. One of the key principles of GDPR rules is that data is, “adequate, relevant and limited to what is necessary”. In short, if you don’t need to collect a particular piece of personal data, don’t collect and keep it. For example, perhaps someone’s street address or phone number are not necessary for sending an email newsletter.
One of the key things about GDPR is the importance placed on ensuring that you have permission to process personal data. There are several different grounds for permission to use personal data, but in many cases, you will need to get permission from the individuals whose data you want to handle.
We’ve all been through this; you buy something online or make an account for a website and have to tick a box to say that you consent to receive marketing communications.
After this, you also need to make sure you keep a record that each person you hold data for has consented to that.
But you can sum this up as, in most cases, don’t process someone’s personal data if you don’t have their permission.
It’s impossible to cover everything in 5 tips, so make sure you have the skills you need to protect personal data. As you’ll have seen if you did a data audit, you’re probably processing more personal data than you thought, even if you’re working in a fairly small organisation.
Our new Data Protection module, aimed at people working in small and medium sized organisations, who have to deal with personal data as part of their jobs, is designed to help organisations in their efforts to become compliant and to be assured that their workers have the right skills.
You can find out more about the module at here.