WHAT ARE YOUR LEGAL PRIVACY & GDPR REQUIRMENTS?
The GDPR (General Data Protection Regulation) is a set of rules laid about by the EU in May 2018 around how businesses are required to deal with personal data. Sounds like a right laugh when you put it like that doesn’t it? But whether you like it or not, whatever your business model, you must make sure that you comply with these rules. Although it is an EU law, it is showing no signs of changing, regardless of the status of Britain’s membership. Now, this may seem daunting, but if you are vigilant about your data practices from the outset, hopefully the task won’t be too arduous.
If you click here you will find a very comprehensive and lengthy checklist on what to do to ensure your GDPR compliance. However, before you delve in to that, take a look at our slightly less stressful list of principles upon which the GDPR has been built. With any luck you will find that you are already more compliant than you first thought…
1. Be Lawful, Transparent and Fair
Lawful. Any information you acquire from a client must have been obtained by lawful means. All of these are laid out in the official GDPR guidelines.
Transparent. You must make is explicitly clear what you are using a client’s data for, how long it will be kept and what the processing time will be.
Fair. Basically, you need to keep your word to your clients as regards their data. You must only use the information they have given you for what you have told them you would. No extras!
2. Collect the Minimum Data Required
The GDPR is designed to ensure that you collect only the data that is required to carry out your business. To comply with the regulation, you will have to prove that the information you collect is relevant to your business. So, when creating your data policy, be as economic as possible.
3. Accurate and Up-To-Date
Any personal information you collect needs to be kept up to date. If personal details or accounts are out of date, they need to be gotten rid of as retaining outdated information is in breach of the GDPR.
4. Specific Retention Period
All data collected should be collected in the understanding that it will only be retained for a certain period of time. You will have to prove that the retention of the data for your chosen period is of genuine use and benefit to your business. Any information kept after the specified time will need to be removed from your system.
Your collected data must be anonymous where possible, and all of the data you process should be under the protection of sufficient cyber security measures. Essentially, you must be able to prove that all of your information is safe from hackers and that it has a number of fail-safe measures in place.
Every data policy and every system put in place needs to have been carefully planned and recorded in official documentation. This means that every decision made around day-to-day data collection can be justified or measured against your official business policies and guidelines.
These are the GDPR principles in simple form. If you already do all of these then you are on the right lines already. If not, it would be best to align your business with these principles before diving in to the full GDPR checklist.