Fear of GDPR
Have you suddenly realised that your business might need to make some changes to comply with GDPR? Are you living in fear of it?
With the date of 25th May, 2018 looming ever closer for the introduction of new regulation – General Data Protection Regulation (GDPR), it is time for changes to be made in advance in order to be compliant.
GDPR is not something to be fearful of, but as it is a change in regulation, it is good business practice to make changes now. With recent news of Facebook and their data protection breaches, it is making the public more aware of how readily and easily their information was shared on the previously trusted social media platform. If you hold information on your customers, they also trust you with their information. You need to comply with this regulation change, which will bring Ireland in line with European data protection rules.
The part to be fearful of is the fine! If your business is found to be not compliant with GDPR the fines are substantial at €20,000,000 (or 4% of total annual global turnover, whichever is greater).
The Data Protection Commissioner has drafted some excellent information on GDPR and we’ll follow their guidance closely over the coming weeks and months and share insights with you. There is a checklist on personal data on their website which is worth familiarising yourself with:
• Why are you holding it?
• How did you obtain it?
• Why was it originally gathered?
• How long will you retain it?
• How secure is it, both in terms of encryption and accessibility?
• Do you ever share it with third parties and on what basis might you do so?
You might start by saying that you don’t hold customer data, but think again:
- Do you collect information, including email addresses and phone numbers on an enquiry form on your website?
- Do customers contact you via contact details on your website and provide you with information to revert to their query?
- What information do you hold on your invoice system?
- Do you have a “little black book” of customer contact details?
- Do you have an email database to contact your customers via email marketing?
The list is endless and we’ll remind you of other ways you might hold data in weeks to come.
Most importantly, do you have that customer’s explicit permission to hold their information? If not, make contact with the customer to update your database and keep the consent on file, if appropriate. If you don’t receive explicit permission, you are probably safe to remove this information from your records.
The Data Protection Commissioner also points out:
Rights for individuals under the GDPR include:
• subject access
• to have inaccuracies corrected
• to have information erased
• to object to direct marketing
• to restrict the processing of their information, including automated decision-making
• data portability.
This PDF of information on the Data Protection Commissioner website is worth referring to if you’re in business and need to understand GDPR better – https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf