So the GDPR has been with us nearly two years. In the beginning there was a flurry of emails demanding consent and people panicking that they would no longer be able to contact their customers. Yet the actual purpose of the new legislation was often overlooked or unclear. Data, according to The Economist recently, is more valuable than gold. The GDPR is designed to protect people’s rights. Imagine it’s your children’s personal data and the importance becomes clearer.
What data is it trying to protect? Its personal data – things that identify a natural living person. So, if you aren’t a company and not dead – it will apply to you. This could be contact details, NI number or a passport number. It could also be special category data such as health details, nationality or religious beliefs.
What the ICO are looking for is for individual’s data to be treated well. To have a specific reason for having it, a lawful reason to process it and to only have it for as long as you need it.
Consider a normal company selling, let’s say, watches. There will be clients, suppliers and possibly employees. The client data will be needed for repeat orders, batteries and warranty issues. You can’t keep your client data forever but you could keep it for the warranty period plus a couple of years possibly for any outstanding issues. Again you can’t keep supplier and employee data forever either and you should have a data retention period in place that can deal with all of the personal data that you need to have in order to run your business. The ICO isn’t saying that you can’t have the data but to only use it and keep it for as long as you need to do so.
The legal basis for processing the data is also important. This could be a number of reasons but in most businesses, it is legitimate interest, contractual obligation and consent. The others are vital interest, public interest and legal obligation. Legitimate interest could be providing a quotation and contractual obligation could be paying for a product received.
With GDPR there are other things to consider too, data subjects (those we have information about) have rights about the data that we hold about them. We also need to be able to deal with data breaches when they occur. There are also marketing considerations and legitimate interest assessments are very useful here. Along with data protection impact assessments for processing certain types of data need to be completed to ensure you are reducing risk.
Data flows are a very good idea as they look at the ways data flows around your world. From where you store your data, to your third parties where you pass on your client data to. It all helps identify risks and duplication of transfers which might not be necessary. It may also show where access to information instead of transferring it would be a safer option.
It may seem like a minefield but there is lots of useful information on the ICO websiteGDPR doesn’t have to be complicated – that I promise!
About the author:
Louise Hickman is an experienced GDPR Practitioner and Commercial Manager with a background in law and quality management. She helps numerous sole traders and small to medium business to simplify their data, introduce data protection by design into their planning and avoid fines. If you want a free GDPR health check please do get in touch: firstname.lastname@example.org or go to www.trustedcompliancesolutions.co.uk