The purpose of this article is to summarise some of the key points arising from the General Data Protection Regulations (GDPR) which come into force on 25th May 2018.
Background on GDPR
The regulations relate to personal data. Personal data is data which identifies a living individual. It therefore includes name, email address and phone number. Collecting and using personal data has to be done in accordance with the principles set in the regulations.
These principles are high level and are as follows:-
- That there has to be a legitimate ground for collecting the data and it must be processed in a way that is lawful, fair and transparent.
- Data should be collected for specific and explicit purposes and its use should be limited for that purpose.
- You have to be clear why the data is being collected and what would be done with it.
- You must take reasonable steps to ensure that data is accurate and kept up to date.
- You must not keep personal data for longer than it is needed.
- Data should be processed in a way that ensures appropriate security including protection against unauthorised use and loss.
Most family businesses adopt a risk based approach to compliance with the legislation.
What should family and private businesses be considering?
The starting point on the path to compliance has to be to identify how you collect data, where you store it, how you keep it secure and what you do with it. You need to have a destruction policy. You need to review the legal basis for having and keeping the data. For example: do you have it because the data subject gave consent; do you have it because you had a legitimate interest in having it; or does that legitimate interest still apply?
In addition to GDPR, there are regulations concerning direct marketing by electronic means. If your organisation carries out direct marketing then you need to make sure that you send emails to people that have given consent and you must give them the right to opt out in the future. If somebody exercises that right then you must not approach them again.
You should ensure that you have appropriate processes in place to comply with the obligations to report certain data breaches to the Information Commissioner’s Office and to respond to data subject access requests.
This note is not intended to be a comprehensive guide to the regulations. For further information, please contact us at firstname.lastname@example.org or by using the form below.