GDPR – the New General Data Protection Legislation
The likelihood is that you have heard of the introduction of the new GDPR data protection regulations. They come into effect on 25th May. Overall I believe they are a long-overdue measure in allowing people to get some control over their data, although I have already seen Facebook and a couple of other companies announcing changes that enable them to get around the requirements.
If you are in business anywhere within the EU, the chances are you’ll have seen the same host of emails I have from consultancy companies trying to make it all look scary and then trying to sell you vastly over-priced compliance services. Plus a couple of sensible ones with more reasonably priced offerings. But for small businesses like our, GDPR is 95% about common sense and respecting our customers.
The basic principles
I’ve taken these directly from the ICO website. The basic principles are that personal data should be;
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
I like to think that we are an ethical business, so most of this is built in to what we do in a natural way. But over the last few weeks, I have carried out a review and taken a few measures to reinforce the way we look after data.
Things we’ve always done which meet the requirements of GDPR
- Our email newsletter mailing list is opt-in, and has been for many years.
- Every email newsletter includes an unsubscribe link.
- We believe our security measures are sufficient, both in terms of IT security and physical security.
- We have never collected personal financial information, card numbers etc.
- Data is only passed to third parties for neccessary reasons (e.g. payment processing for online orders). We check that they meet current UK and EU data protection legislation.
- We have never sold or passed personal data to third parties for marketing purposes.
Things we have done to improve our compliance with GDPR
- Reviewed our email mailing list contacts and eliminated some of the oldest ones. Our very first website many years ago had a pre-ticked opt-in box, which met the requirements then but doesn’t now. Let me know if you think you are subscribed to our email list and didn’t opt-in. I’ll happily manually unsubscribe you. Then I’ll review the cut-off date I used !
- Reviewed all files on each computer we use which could contain personal data. We deleted all unused, out-of-date or unneccessary ones.
- Confirmed with key service suppliers (PayPal, MailChimp etc) that they are GDPR compliant.
- Reviewed and updated our policies about requests for data held (“Subject Access Requests”), and data update or deletion requests.
- Recently had our website penetration tested to identify and resolve any security issues. We found and fixed a couple of very minor low-risk issues. This is acually pretty much an ongoing process for us !
Hopefully this puts your mind at rest that we are doing the right thing and safeguarding your data. As ever, feel free to drop me a line or comment below if you have any concerns !