25 September 2018

GDPR – where are we now?

GDPR was enforced on 25 May 2018 and replaced the Data Protection Act. GDPR impacts any company that is processing personal data of any data subjects in the EU. Personal data includes names, addresses, telephone numbers, personal identification numbers such as NI or passport, vehicle registration etc.

The regulations increase privacy by strengthening existing rights and creating new ones such as:

- Right to be informed
- Right off access
- Right to rectification
- Right to restriction
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling

Authorities have also been given greater powers against businesses that breach the new regulations, with the potential to be fined 20millions euros or 4% of global turnover, whichever is higher, so it's important to get things right.

To help members continue to demonstrate compliance and avoid hefty fines, we've put together a checklist of things to consider:

1. Data flow audit
Conduct a data flow audit - what, where, why, who, retention
2. Data Protection Policy
Provide a Data Protection Policy that is clear, concise and can be used for internal/external use
3. Subject access requests
Understand individual rights
4. Consent
Have processes in place if individuals request to withdraw their consent
5. International transfer
Consider where you data is stored e.g. cloud storage, have correct processes and contracts in place
6. Data protection impact assessments
Conduct for new systems and projects and ensure you regularly review
7. Processer Agreements
Make sure you have contracts in place for all third parties, mitigate your liability
8. Data breach process
Understand your obligations

If you need further assistance on data management and cyber security then the BPIF are running half-day workshops across the country covering areas such as a GDPR overview, information security and the fundamental steps to cyber security.
30 October - Meriden office
19 November - Northern office

There has been a lot of confusion around gaining consent, legitimate interest and how this affects marketing to individuals. To help overcome some of these obstacles the Specialist Services department are running GDPR - An end to marketing as we know it? workshops. These one-day workshop will show you how to find new business opportunities using through using GDPR to benefit your marketing strategy.
2 October - London office
6 November - Northern office

Remember, don’t drop the ball on GDPR, the latest ePrivacy Regulation update came into effect in September 2018. This regulation sits alongside GDPR and has specific rules for marketing over electronic channels. It states that you need consent to contact consumers via email or SMS, unless someone has bought from you before, and then only for similar products or services. The ePrivacy has the same scope as the GDPR and carries an identical penalty system for non-compliance.

The PECR set out the rules on:

- Electronic communications, including marketing emails, faxes, texts and phone calls;

- The use of cookies that track website visitors’ information; 

- The security of public electronic communications services; and 

- The privacy of end users.

Go to ICO to find out more; https://ico.org.uk/for-organisations/guide-to-pecr/

If you require any ePrivacy support to help you become compliant contact [email protected] or 01924 203335.