The Guide to Data Protection Regulation
What is GDPR
GDPR is the Guide to General Data Protection Regulation and it applies to all controllers or processes of data.
Essentially this means that if you use, handle or have access to others personal data you need to ensure that your policies are GDPR compliant. The general intention of GDPR is to set out guidelines that make it easier for citizens to have transparency about how their data is being used and what it is being used for.
The main things to focus on when working towards GDPR compliance are; why am I collecting this data? Is it necessary? And where/ how will I store the data so that it is secure?
First, why am I collecting this data?
Transparency is key when it comes to compliance. This means that you need to ensure that the person who you are collecting data from, knows what you intend on doing with it. If, for example, you require an email to download a price list but after sending that price list you intend on sending them monthly email newsletters, you must ensure you have an opt-in process in place rather than an opt-out.
Data subject access requests have changed too. Companies now cannot charge for complying with a request unless the request is ‘manifestly unfounded or excessive’. The time that you have to comply with a request has been reduced to 30 days, with a possibility of an extension if the company has received a particularly complex request.
Next, is it necessary to collect this data?
If you are collecting data or have data stored from previous interactions, then you must have a legitimate reason for storing it. If an individual requests that you delete their data and you can not provide them with a legitimate reason, then under article 17 the right to be forgotten, your business must respond and delete with “undue delay”.
Data collected before May 25th 2018 on 'broad-based consent' or data that's been collected in a way that would not satisfy the new requirements of GDPR will be classed as 'Historical Data'. The Processing of 'Historical Data' will no longer be lawful after the 25th and there will be no exceptions or 'Grandfather Provisions'.
Finally, where/ how will I store the data so that it is secure?
Once you have gathered data and the client has opted into hearing from you, you need to ensure that their data is protected. The recommended way to do this is to keep your data in encrypted files. Audit logs will also be a key component in your data protection and troubleshooting of the security of your files.