What do the new GDRP Regulations mean for your data?

Jan 11, 2018 | Frequently Asked Questions, General

General Data Protection Regulation

The new regulation takes the old Data Protection Act to the next level. Businesses and organisations need to act now to become prepared before the Act is enforced later in the year.

What Is GDRP?
The General Data Protection Regulation is the new European law which is designed to give increased protection to individuals, especially children, covering how data which is personal to them is stored. It gives incresed powers to people to be forgotten, and to see and delete information held about them.
Who does the GDRP affect?
It affects any organisation which holds data in any form about individuals. From employers, to retailers. From sports clubs to churches. If you collect data from people and store it electronically or otherwise, this will affect you.
A brief summary
  1. Whereas before, you might assume people consent to their details being held and used by you and you sending the odd marketing email, now, you have to have evidence of that consent..
  2. You have to take measures by law to protect the data you keep, and inform the ICO of data breaches, as well as the people involved.
  3. Someone should be in charge of data in the organisation. In a sole trader business, this would be the owner. In a large sports club, or retail business, a designated person needs to be placed in charge, with the remit to take decisions, and manage to all levels in the system including top level management.
  4. You need robust systems to check you have permission to hold data on people. This includes looking back, and if necessary, asking again.
  5. A published system for people to check data held on them, to amend if mistakes are found, and to delete their data.

So, what to do now?

1. Audit your data - Now
A quick conversation with a local dance school highlighted over 8 different places where data on clients and their children was kept. Little control over data security, and no records of permission sought for publicity emails, having assumed that registering their details was enough.
2. Check if you have asked permission
Permission to email?

Permission to take photos?

Parental permission?

Permission to pass details to other organisations? – For example if you are accredited to an organisation, passing details to them needs permission.

3. Review your privacy policy
Does it include every place data is stored?

Have you included social media?

Do you state how you will use images whilst still protecting people in the images, especially children by not using their names, or personal details about them.

4. Minimise data held to the absolute minimum
If you dont need addresses, then dont take them.

If you dont need dates of birth for children, then dont take them (a birth year might be enough for your needs)

5. Ensure Parent / Guardian permissions, and contact details have been sought
Children have all sorts of individual needs, and protecting their identity is paramount. Many parents will have different views and these need to be taken into account, and recorded. For example, ‘No photos on social media’ is a common one.
6. Communicate your policy, and how people can check and delete information held on them
Let all your clients / data subjects know what you’re doing, and how to get in touch to check any records you have in place
7. Audit your processes and data regularly to ensure it meets your stated policy.
Let all your clients / data subjects know what you’re doing, and how to get in touch to check any records you have in place

So, What Now?

We can assist in conducting an audit of known data sources, and access permissions. While your privacy policy will be tailored to your individual organisation, the audit gives you a great start in the route to compliance.

Here is the summary of ‘What to do Now‘ issued by the ICO.

About the author

Rob Jones

Director - Brilliant Bookings

Rob has been creating websites since 2007. After leaving a career at commercial director level in high street retail and hosptality, Rob has focussed his skills on helping others reach out more via digital media. With over 500 websites so far, Rob has helped organisations with websites, digital security, online advertising, CRM systems, as well as market research, benchmarking, and other business advice.

Let us help you grow Your business

Start the ball rolling by sending a message with a few details, and we’ll get back asap to start the ball rolling.