New legislation comes into effect on the 25th May 2018 which concerns how you interact with members or customers of your organisation or business. There have been scare stories around the new fines that may be levied against non-compliant organisations and these have caused many people to panic over what they need to be doing.

The first point to make clear is that the fines are nothing to worry about, the Information Commissioners Office (ICO) are encouraging people to get in touch with them for advice and support in implementing the new law and are not looking to fine small organisations or businesses for non-compliance. The large fines are a last resort for organisations or businesses that refuse to comply with the new laws and demonstrate repeated neglect of responsibility under the new GDPR regulations.

The key purpose of the new regulations is to ensure that customers or members are aware of what data is being held, how that data is being used and their right to request that this data is deleted in a timely fashion should they request this.

There are 6 key questions which you need to consider in preparing for the GDPR regulations:

  1. What data do we hold on people?
  2. Why do we need to collect and store this data?
  3. Where is the data kept and in what form (digital, physical)?
  4. How long do we need to keep the data for?
  5. Who has access to this data?
  6. How do we ensure the data is secure?

By considering these questions you can write your new privacy policy as you go, the answers to these questions make up the main body of your privacy policy which is the central document for the GDPR regulations and ensures compliance with the new regulations.

To address each of these questions in turn:

  1. What data do we hold – this could be as simple as name and email address, or as complex as medical records or personal information. You will need to consider carefully what data you actually NEED to hold on individuals in order to answer the second question
  2. Why do we need this data – This is commonly answered as a need to communicate/contact individuals who are interested in your business or organisation, however there may be more in depth reasons for holding specialist data
  3. Where is the data kept and in what form – This is most commonly answered by the word “online” or in the cloud as most businesses or organisations will keep contact information in some digital format. This may be a list of email addresses in an email program on a computer or it may be an online list held within a customer management system (CMS). You will need to consider if you have historic records on paper that also need to be mentioned in your policy document
  4. How long do we need to keep the data – some data is time sensitive, whilst other data is not. Contact details may be kept indefinitely, but the right to have them deleted upon request should be addressed as part of your policy
  5. Who has access to the data – This needs careful consideration and it may help to discuss this with other members or employees of your organisation or business. It may be a useful time to reconsider who has access to what data and if they really need to have access to it. These people will need to be listed in the policy document.
  6. How do we ensure the data is secure – This may be as simple an ensuring the computer the data is held on has regular security updates and a recognised anti-virus solution with regular backups. If the data is held online then you may wish to consult with your service provider to check what security measures they have in place to protect data. If in doubt, consult with an experienced computer technician to determine what measures are in place to secure systems or services holding data.

You will need to appoint a data controller within your organisation or business who is responsible for updating the policy document and responds to requests for data or deletion of data. This also entails writing a simple procedure for responding to data requests or data deletion requests. This must factor in the time element as deletions of data are expected to occur within 30 days of the request being received.

You also need to consider if you have data processors, one example of these would be a mailing list service, such as Mail Chimp, used for sending out marketing or advertising materials. If you use services like these then you need to contact them to confirm their compliance with GDPR regulations. Most services you use will likely already be compliant with GDPR regulations and you can add this to your policy document accordingly.

It is also advisable to ensure data is held in one place and not duplicated. If your organisation or business has multiple individuals who hold contact information or other personal data on customers or members then it would be advisable that they delete this information from their devices and use a centralised list held on a server or central system.

The last thing to remember is that your GDPR policy and procedures should be reviewed on a regular basis. This can be as regular as deemed suitable for your organisation or business but should be at least once a year. This provides an opportunity for feedback on what is working well and what needs reviewing.

The ICO website has a number of useful resources for those planning their GDPR documentation and procedures – https://ico.org.uk/

Author: Adam Collett