The rules about processing peoples’ personal data underwent significant change with the implementation of the EU’s General Data Protection Regulation (GDPR) in Europe. The law puts in place a uniform set of rules for processing personal data across the EU and beyond.
With stiff penalties for failing to comply, it’s important for any organisations that handle personal data are compliant with the rules. While we aren’t lawyers, and this isn’t substitute for qualified advice, we’ve highlighted 5 tips that could help get up to date with GDPR if you haven’t already.
Tip 1. Know what data you’re dealing with
A good first step to making sure you are doing the right thing with personal data is to take some time to think about all the different types of data you collect, what you do with it, and why you need it.
For example, you might have an email newsletter sign-up form. Think through all the information it is collecting, and why. Also think about other areas where personal data is being processed (which includes simply storing it). Staff HR data, customer databases, mailing lists: the list can go on, but once you know where you are, it will be easier to understand what you need to do to protect that data and comply with the law.
Tip 2. Reduce the data you handle
After you’ve got a good picture of what data you’re collecting, and why, you should think about whether it really needs to be collected. One of the key principles of GDPR rules is that data is, “adequate, relevant and limited to what is necessary”. In short, if you don’t need to collect a particular piece of personal data, don’t collect and keep it. For example, perhaps someone’s street address or phone number are not necessary for sending an email newsletter.
Tip 3. Get consent
One of the key things about GDPR is the importance placed on ensuring that you have permission to process personal data. There are several different grounds for permission to use personal data, but in many cases, you will need to get permission from the individuals whose data you want to handle.
We’ve all been through this; you buy something online or make an account for a website and have to tick a box to say that you consent to receive marketing communications.
What is important about GDPR, is that you have to make sure that people can opt-in, and that certain information—like your organisation’s contact details, the right to request a copy of information held, the right to have data removed, and the right to complain to a data protection regulator—is clearly displayed in your privacy policy.
After this, you also need to make sure you keep a record that each person you hold data for has consented to that.
But you can sum this up as, in most cases, don’t process someone’s personal data if you don’t have their permission.
Tip 4. Use plain language
Of course, as well as ticking the opt-in checkbox, we’ve also all taken a peek at terms and conditions, usually to be confronted with walls of legalese. Under the new rules, you have no excuse for opaque terms and conditions. When you write your privacy policy, make sure you write it in simple terms. You shouldn’t need to be a lawyer to read and understand the average privacy policy!
Tip 5. Make sure you have the skills to protect personal data
It’s impossible to cover everything in 5 tips, so make sure you have the skills you need to protect personal data. As you’ll have seen if you did a data audit, you’re probably processing more personal data than you thought, even if you’re working in a fairly small organisation.
Our new Data Protection module, aimed at people working in small and medium sized organisations, who have to deal with personal data as part of their jobs, is designed to help organisations in their efforts to become compliant and to be assured that their workers have the right skills.