The rules about processing peoples’ personal data are undergoing significant change this month, with the implementation of the EU’s General Data Protection Regulation (GDPR) in Europe. The new law puts in place a uniform set of rules for processing personal data across the EU and beyond.
With stiff penalties for failing to comply, it’s important for any organisations that handle personal data to be ready for the new rules. While we aren’t lawyers, and this isn’t substitute for qualified advice, we’ve highlighted 5 tips that could help you to comply with GDPR.
Tip 1. Know what data you’re dealing with
A good first step to making sure you are doing the right thing with personal data is to take some time to think about all the different types of data you collect, what you do with it, and why you need it.
For example, you might have an email newsletter sign-up form. Think through all the information it is collecting, and why. Also think about other areas where personal data is being processed (which includes simply storing it). Staff HR data, customer databases, mailing lists: the list can go on, but once you know where you are, it will be easier to understand what you need to do to protect that data and comply with the law.
Tip 2. Reduce the data you handle
After you’ve got a good picture of what data you’re collecting, and why, you should think about whether it really needs to be collected. One of the key principles of the new GDPR rules is that data is, “adequate, relevant and limited to what is necessary”. In short, if you don’t need to collect a particular piece of personal data, don’t collect and keep it. For example, perhaps someone’s street address or phone number are not necessary for sending an email newsletter.
Tip 3. Get consent
One of the key things about the new data protection rules is the importance placed on ensuring that you have permission to process personal data. There are several different grounds for permission to use personal data, but in many cases, you will need to get permission from the individuals whose data you want to handle.
We’ve all been through this; you buy something online or make an account for a website and have to tick a box to say that you consent to receive marketing communications.
After this, you also need to make sure you keep a record that each person you hold data for has consented to that.
But you can sum this up as, in most cases, don’t process someone’s personal data if you don’t have their permission.
Tip 4. Use plain language
Tip 5. Make sure you have the skills to protect personal data
It’s impossible to cover everything in 5 tips, so make sure you have the skills you need to protect personal data. As you’ll have seen if you did a data audit, you’re probably processing more personal data than you thought, even if you’re working in a fairly small organisation.
Our new Data Protection module, aimed at people working in small and medium sized organisations, who have to deal with personal data as part of their jobs, is designed to help organisations in their efforts to become compliant and to be assured that their workers have the right skills.
You can find out more about the module at ecdl.org/dataprotection