May 25th, 2018 came and went by.
GDPR is here.
In fact, it’s been here for two months now. GDPR encroached upon all businesses that hold data on EU residents. The UK’s Data Protection Act has a supplanter.
If you don’t know them already, it’s important to learn the basics of GDPR now. Because GDPR is going to affect the way your business collects data, holds that data, and even analyses that data.
Let’s start by looking at the rights of a data subject (any EU resident whom your company has data on) possesses under GDPR:
Data subject rights:
- The right to be informed regarding your personal data.
- The right of access to your personal data.
- The right to rectification.
- The right to erasure (some are calling this the right to be forgotten).
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights regarding automated decision making and profiling.
The GDPR is not an easy read. You’re probably not going to find yourself unable to turn away from it while you’re sipping Long Island Iced Teas by a swimming pool. Better to stick to Tom Clancy thrillers for that.
One reliable source’s November 2017 survey found that across industry sectors in EMEA, only 15% of organizations expected to be fully compliant by the deadline last month.
And for that reason, during the run-in towards the compliance deadline of May 25th, 2018, many businesses hired data protection officers, compliance consultants, and anyone else who could interpret the legal text.
How serious is GDPR?
Well, it depends how serious you think it would be if you had to pay a fine as high as either €20 million or 4% of your annual turnover (whichever is higher) for breaching the GDPR compliance.
For almost every company, this is serious. And if the financial penalty doesn’t make you shiver with fear, think about how your company’s reputation will suffer, too, when the press learn that you’re in breach of the General Data Protection Regulations…
So what happens, post-deadline?
The EU didn’t just want businesses to scramble towards compliance by a certain date and then stop there. GDPR is here to stay, and that means you need a sustainable strategy for how you collect and process data today, tomorrow, and 12 months from now.
According to Article 5 of GDPR, here’s what you need to do every time you handle a piece of EU resident data:
- Process it lawfully, fairly, and in a transparent manner.
- Collect data only for specific and legitimate purposes. You cannot use someone’s data for anything other than these specific purposes.
- You must only collect data that are relevant to the requirements for their processing.
- The data must be accurate. It must be up-to-date.
- You must fix or remove any inaccuracies without undue delay.
- You must not store someone’s data for any longer than you need to.
- You must store all data with an appropriate security solution, which should protect against unauthorized or unlawful processing and against accidental loss, damage, or destruction.
How is GDPR going to affect the way you collect data?
Review all of the employee data you hold
That’s right. This isn’t just a customers’ data thing. You need to look at what data you’re holding on your staff.
Let’s take a moment to think about all the data you probably hold on your employees: a version of their CV, their National Insurance number, a copy of their passport photo, their date of birth, their full name, their home address, contact number, email address, age, bank details, salary history, references… just to name the most obvious.
It’s time to document all of this data, label it properly, and store it securely. You also need to clarify how you acquired the data and any third parties that you’ve shared the data with to date.
It might sound like a mind-numbing task, but you probably don’t want your data shared or stored without your consent, so why would anyone else?*
Ensure that your HR officer, if you have one, works with whoever is in charge of your data protection—for example, if you have a data protection officer. Your employees are data subjects, and it’s up to you and your management to make sure that you adhere to the rights that data subjects now have under GDPR. If one of your employees wants you to erase a piece of data, you will probably need to do so.
Review the way you’re managing consent
You need to focus on acquiring explicit consent when you seek someone’s data. Just presuming that somebody’s giving you their consent is not good enough, and that applies to clients, customers, and again, your employees.
If you haven’t already, create an opt-in form and circulate to everyone on your staff to start with. While you’re at it, review your past strategies for asking for and recording data.
Does your privacy notice denote your identity? It should. It also needs to clarify how you intend to use any data that you’re trying to collect, and how long you plan to store it for.
Best to review your privacy notice.
Make sure your staff know their rights regarding their data
There’s no reason to keep your employees in the dark. If you proactively explain GDPR to your staff and inform them about how their rights are increasing, you’ll keep them happy.
Let them know they can refuse you permission to process their personal information if they so wish. Let them know that in certain circumstances they can request that you delete their data if they so wish, as well. One reason for making this request would be if the reason for collecting and holding the data is no longer valid, or they withdraw their consent.
In conclusion, now that the dust of the GDPR storm is settling, it’s critical that your company does not stop taking personal data seriously. If your organization is careless, both customer and employee data are at risk. Safely storing and sharing data are part of the sustainability project of a more secure digital world.
*Being indifferent to what people do with your data is not a free pass for not caring about your customers’ or employees’ data.