Prepare now for changes to Data Protection Regulations
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).
Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.
The main changes are:
1.The Right to be Forgotten
This is the main change. A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request. However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.
2. Improving Consent and Withdrawal of Consent
The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking.
Importantly, it must be as easy for customers to withdraw consent as it is to give consent. So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.
3. Right to Access
The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.
4. Notification of Data Breaches
The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.
It is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.
Guidance and more information on GDPR can be found on the Information Commissioners’ Office website.