What is it?
The GDPR (or General Data Protection Regulation) is a regulation brought about by the EU to bring legislation up to date with the way data is now used (it comes into force before Brexit is scheduled to be enacted, so there’s no wriggling out of it that way. Sorry). It replaces the Data Protection Act and has bigger financial penalties for non-compliance: Up to €20 million or 4% of annual turnover.
When does it come into force?
The GDPR applies automatically from 25 May 2018.
So how does it apply to me?
If you collect and store the personal data of EU citizens, whether that’s via some uber-sophisticated CRM software or paper forms at a box office (phone number, email, postal address etc.) then it applies to you. You will need to assess the way you use data and how the companies you outsource to handle data management or processing manage these too (audience insights agencies, ticketing companies etc.) as there will be more accountability for all parties.
There’s no concessions or exceptions for charities, so if you have volunteers within your organisation, you need to make sure they understand the rules around this too.
But we’re compliant with the Data Protection Act…?
Cracking, you’re probably most of the way there.
Broadly speaking, there’s not a great deal of difference between what you can and can’t do with an individual’s data. The main differences between the GDPR and the DPA is that there’s greater accountability for organisations and higher standards to adhere to when obtaining, recording and storing data. This means:
- Providing evidence of how you collect and protect data
- Being able to efficiently delete an individual’s data if asked and show how you would do this
- Compulsory reporting of data breaches
- Additions to privacy notices (e.g. communicating how long you keep the data for, your identity, your legal basis for collecting the data and how an individual can complain)
- You must have a paper trail evidencing that consent was given
- Be more explicit when obtaining consent (e.g.no pre-checked marketing boxes)
- Appointing a Data Protection Officer if your organisation numbers more than 250
- Making it easy for the user to understand what they’re signing up to. If they don’t understand, they can’t consent
- If your organisation deals with children’s data (under 13s) you need verifiable parental consent
So where do I start?
This can all sound a bit daunting, but it’s actually fairly straightforward. The good news is it can be done a bit at a time and the ICO have put together a tick list to guide you through it and also a jargon free 12 steps guide.
A good place to start might be cross-checking your communications around how you ask for consent, establish how you would delete personal data by writing guidelines or refresh the way you tell consumers their data will be used.
Remember! You don’t have to do it all alone, make sure that your key stakeholders know this is coming and ask for any support you need. Also chat to us if you need some advice on how you could amend your current website and processes.
And one more thing: We’re digital experts, not lawyers. The above is intended as a starter for ten only. We highly recommend getting legal advice to check over your current procedures and any changes you put in place.