If you’re an SME business owner and you’re reading this, you’re probably looking for answers for how to tackle the arrival of the GDPR, which brings sweeping changes to the responsibilities of businesses on how they obtain, store and keep personal data on customers and prospects. Here’s a Practical Guide to the Principles of GDPR and Data Protection:
Control where your data is and how it’s stored, shared and accessed
New Responsibilities under GDPR
While the Irish Data Protection Acts of 1988 and 2003, and the UK 1998 Data Protection Act imposed responsibilities on organisations large and small around data protection, in May 2018, the General Data Protection Regulation (GDPR) will replace these Data Protection Acts and will impose many new responsibilities and sanctions on organisations. The three major responsibilities on organisations are :
The GDPR is big on accountability. The SME will have to be able to prove its compliance to the data protection regulations. It will have to be seen to be complying and making every appropriate attempt to comply.
#2. Notification of data breaches
There are exemptions for minor breaches, but all other breaches must be reported to the regulators within 72 hours. In addition all customers affected by the breach have to be informed.
#3. Consent and privacy notices
The GDPR means businesses must get consent to use the data they collect from consumers. The GDPR has a principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. As mentioned consumers are allowed to withdraw consent and to ask to see what information is stored about them.
New Sanctions under GDPR
The GDPR aims to strengthen individual’s rights to privacy in an ubiquitous environment. If those are not respected, there are severe penalties for non compliance and there are no exemptions from these.
Companies could be fined up to €20,000,000 or 4 percent of annual turnover.
Companies could be fined up to €20,000,000 or 4 percent of annual turnover. Click To Tweet
The 8 Principles of Data Protection Still Stand
It’s still the case with GDPR that every organisation should follow these 8 principles of data protection:
- Obtain and process the information fairly
- Keep it only for one or more specified and lawful purposes
- Ensure that it is adequate, relevant and not excessive
- Keep it accurate and up-to-date
- Process it only in ways compatible with the purposes for which it was given to you initially
- Retain it no longer than is necessary for the specified purpose or purposes
- Keep it safe and secure
- Give a copy of his/her personal data to any individual, on request.
Rights of Individuals under GDPR
There are 6 particular rights of individuals under GDPR:
#1. Subject access
So if a customer or prospect submits a Subject Access Request (SAR) then you have to respond within 30 days and supply them with a copy of the information you hold on them.
Practical implementation: You will need to define a process for dealing with SARs promptly.
You will need to define a process for dealing with Subject Access Requests (SARs) promptly Click To Tweet
#2. To have inaccuracies corrected
Having obtained a copy, if they require inaccuracies to be corrected this has to be done in a timely manner.
Practical implementation: Again part of your SAR process, that someone will update the inaccuracies and take a screenshot to keep for audit purposes and also follow up with the customer/prospect to show that the update has taken place.
#3. To have information erased
If someone wants to be “forgotten”, then you have to delete them from your data.
Practical implementation: Before you can erase someone’s personal data, you have to locate every instance of it. You will also need to be able to demonstrate somehow that they are no longer on your data files.
#4. To object to direct marketing
You must remove them from your marketing communications if requested. And more importantly, you now need to be able to show that they gave consent to be on your marketing list.
Practical implementation: marketing email software providers offer easy unsubscribe and removal from mailing lists, and Double Opt in is a must to be able to prove consent to joining your list.
#5. To restrict the processing of their information
This means that an individual can limit the way that an organisation uses their data. It’s an alternative to requesting that their data be erased. This includes automated decision-making.
Practical implementation: as a matter of good practice you should automatically restrict the processing if you have been asked about data accuracy or if they have questioned the legitimate grounds for processing their personal data.
#6. Data portability
Can you provide the data electronically and in a commonly used format.
Practical implementation: Provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data.
Recommended Reading: There May Be Some Surprising Benefits of GDPR
The 6 principles of GDPR
These are the six principles of GDPR for data collection and data protection:
- Lawful, fair and transparent – there has to be legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect.
- Limited for its purpose – data should be collected for specified and explicit purposes and not used in a way someone wouldn’t expect.
- Adequate and necessary – it must be clear why the data is being collected and what will be done with it. Unnecessary data or information without any purpose should not be collected.
- Accurate – reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate.
- Not kept longer than needed – data should not be kept for longer than is needed, and it must be properly destroyed or deleted when it is no longer used or goes out of date.
- Integrity and confidentiality – data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, loss, damage or destruction, and kept safe and secure.
Organisations who already apply these principles will find the transition to the GDPR less difficult.
Rinodrive has been built to help businesses meet GDPR requirements. At Rinodrive security and privacy are a highest priority. We understand that the confidentiality of data and protocols are critical. All of your data is stored in highly secure data centres managed by dozens of compliance programs and audit safeguards. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.
Ready to give Rinodrive a go? Signing up for a free trial is just
We hope this practical guide to the Principles of GDPR has been helpful. What’s your experience of preparing for GDPR so far? Share your thoughts below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).