General Data Protection Regulation or GDPR as it’s known is all about….wait, WAIT, don’t fall asleep or we’ll start talking about Brexit! Yawn.
Let’s make this quick and easy.
- GDPR is basically about a person’s right to be forgotten
- Companies can hold someone’s data if it is explicitly given permission, a pre-ticked box is not sufficient – it requires an action from the subscriber, etc
- Companies HAVE to delete all records and data about an individual should it be requested without hesitation – and/or give the individual all information and detail who it was used
- You could get fined £20 million or 4% of your annual turnover if you breach these rules
- Brexit – it’s like a wasp that doesn’t die. It’s hard to avoid, if we leave or not it doesn’t matter, we have to comply even if it is an EU directive. It came into force in May 2018
A simplistic view? Yes. It is far more complicated than dealing with your email database, but for many companies this is all they need to be concerned with. If you ‘process’ a person’s data you need to have your house in order, know where all info is kept and keep it securely. Ideally GDPR can ensure you don’t compromise your reputation or that person’s should they not want their information used or abused in a certain way.
If you don’t ‘process’ anyone’s data, not even their name then this makes it easier for you but it is better to err on the side of caution. Why? Because ‘process’ is a very open term, if people interact with you and your site online then effectively they have engaged in a process with you, intentional or not.
SO everyone needs to make sure they not only intend to do the right thing, by showing it, but act with integrity (and legally one can argue) and show they have the right intent.
How to be GDPR compliant – the basics
- If you need to take data that a person actively approves, then are going to hold that data, you must give them the opportunity to unsubscribe from a service. Not only this, you must make it clear that they can request that all activity they have ever had with the organisation is completely wiped from systems, servers and databases without hesitation. Also you will likely need to prove it if so.
- Make sure you CAN actually erase EVERYTHING AND SUPPLY all information to an individual
- Ensure your process for holding data complies and is secure
- Consult your legal team to be squeaky clean
- Notify individuals within 72 hours if you suffer a data breach
- Do this YESTERDAY – you should have everything in place already