BLOGS
Time To Grow: what is GDPR?
With the introduction of GDPR in May 2018, the UK underwent the most dramatic changes to its Data Protection laws in over twenty years.
But what does GDPR mean for your business?
In the second blog of our Time To Grow series, we’ve covered GDPR in simple terms, highlighting everything you need to know.
What is GDPR?
General Data Protection Regulation (GDPR) forms part of the Data Protection Act 2018, safeguarding personal and sensitive data.
As outlined by the Information Commissioner’s Office (ICO) – which acts as the UK’s watchdog – data protection is the fair and proper use of information about people.
The ICO explains that data protection is a responsibility of all businesses; if you collect information about individuals for any reason other than your own personal, family or household purposes, you must comply.
How should you keep data safe under GDPR?
At a glance, GDPR sets out seven key principles to keeping information safe that should lie at the heart of your strategy.
Data should be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific and legitimate purposes
- Limited to what is necessary for the purposes of processing
- Kept accurate
- Kept for no longer than necessary
- Processed in a secure manner
- Under the control and responsibility of a controller
Why is GDPR important?
A data security breach can be costly, both for your organisation's finances and reputation.
GDPR acts as a crucial frontline defence against cybercrime and fraud.
Additionally, non-compliance with GDPR can result in a hefty fine of up to €20 million or 4% of the business’ annual turnover, whichever is greater.
GDPR: what is personal data?
Personal data is any information relating to an identified or identifiable natural person (the ‘data subject’) – this could be:
- Name
- Address
- Telephone/mobile number
- Credit card details
- IP address
- Website cookies
GDPR: what is sensitive data?
Sensitive data includes information such as:
- Racial or ethnic origin
- Political opinions
- Religious and philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Information about a person’s sex life or sexual orientation
- Criminal record information
How can businesses lawfully collect personal data?
There are six lawful bases under which an organisation can process personal data, the most popular being consent.
See all six lawful bases here.
Perhaps the most significant change to the basis of consent under GDPR is that it needs to be given positively and unambiguously.
Individuals must ‘opt-in’ to having their data processed; pre-ticked boxes and inactivity do not constitute consent.
Real-life example: when you create a new account on a website, you’ve most likely seen a tick box where you agree to have marketing material shared via email and text. That tick box, asking for your consent, is there due to GDPR, as you have to explicitly opt into giving your data.
What are an individual’s rights under GDPR?
One of the goals of GDPR is to give the public control over their data, with individuals now having eight rights over their data under GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights about automated decision making and profiling
How to keep your business GDPR compliant
GDPR compliance can seem daunting, but we’ve broken it down, highlighting four ways you can safeguard and improve your processes.
1) Check your policies are in line with GDPR
Firstly, review your existing privacy policies to ensure they comply with GDPR and make it clear that individuals have the right to object or withdraw their consent to the processing of their data.
2) Review your data processing practices
Follow best practices for the protection of both digital and paper records; regularly review the personal information you hold and erase or anonymise personal data once it is no longer required.
Additionally, don’t leave paper documents containing personal data lying around – instead, opt for a digital solution that can securely store all your information encrypted in the cloud.
3) Implement cybersecurity measures
Once your documents are digitised, it’s time to implement cybersecurity measures such as multi-factor authentication, firewalls and anti-virus protection.
4) Educate your employees
One of the most common causes of data breaches is human error.
To ensure your minimising the risk of cyberattacks, it’s crucial that you educate employees on your data protection policies and why they’re important.
More information
For detailed guidance on GDPR and how it impacts your organisation, visit the Information Commissioner’s Office (ICO) website.
Time To Grow
We have a wide range of solutions that can help with security, and what’s more, for a limited time, we’re offering up to 50% off all IRIS software – click here for more information.
*GDPR rules can be complicated, so please only treat this blog as a guide, and speak to a professional advisor for legal advice.