The big question on everybody’s lips is ‘What is General Data Protection Regulation (GDPR)?’ and the next question is ‘What do I need to do as a business to comply?’ This article aims to give a quick overview of GDPR and its aims and objectives.
This article is not intended to give an exhaustive insight into GDPR. There is a dedicated website with full details and advice that you can visit for a more in-depth analysis. Visit the Information Commisioners Office website for full details on GDPR. There is also a ’12 Steps to GDPR’ PDF document you can download’
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
When does GDPR become law?
The General Data Protection Regulation comes into force on 25 May 2018 in the UK. It expands the rights of individuals to control how their personal information is collected and processed.
The Regulation demands that you be able to demonstrate compliance with the data protection principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, as well as building a workplace culture of data privacy and security.
Are there business benefits to GDPR?
- Build customer trust
- Improve brand image and reputation
- Improve data governance
- Improve information security
- Improve competitive advantage
Does it include personal data?
GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person, and can be in any format. The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.
Personal data includes:
- Email address
- IP address
- Location data
- Online behaviour (cookies)
- Profiling and analytics data
What business need to do?
- Companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
- Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.
- Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.
Individuals rights under GDPR
Under the GDPR, individuals can ask for access at “reasonable intervals”. Data controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
Individuals have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it.
In addition, under the GDPR, individuals have the “right to be forgotten”. Individuals have the right to have their personal data data deleted “without undue delay”, at their request.
About Blackberry Design
Blackberry is a creative design agency. We work with businesses in Redditch, Worcester, Birmingham, the Midlands and nationally. We help our clients build strong brands that can create loyalty and add value.
Got any questions about GDPR and how it might affect your marketing activity? Speak to Blackberry Design to see what we could do for your business. Get in touch on 01527 517309 or fill in our contact form.