Swift guide to GDPR
- 1. Imo’s common sense guide to GDPR – the two pager What is GDPR? The new EU general data protection law coming into force in May 2018. It gives more rights to individuals which will mean charities, clubs and small businesses need to review their procedures and make some changes. However, it’s not actually that big a change compared to the data protection you should already be performing. Which you probably aren’t. Some practical examples of why you need to plan this • If you send out an email to a group of people, do not put all the email addresses into the cc: field. Use the bcc (blind copy) field to enter in the list of emails, unless you can show that all those people have given you explicit consent to reveal their email addresses to all the other people. • Data has to be kept safe. Is yours backed up, encrypted? Do you have those details listed somewhere in a data security policy or procedure? Is one of your backups held offsite in case of fire, theft or flood? • Is there a data privacy policy on your website? And a cookies agreement? • Do you have a form for new customers or users? It must request explicit consent for their data to be held, explain what it’s held for, who by and for how long, and who people contact if they don’t agree. • Do you ever text customers notifications or reminders? You must inform customers or users that you are going to do this, and give an opt-out option whenever you use it. • If your premises were broken into and a computer stolen that holds personal data, you would need to inform the data protection commissioner within 72 hours unless it is anonymized OR encrypted. Do you know what’s on each computer, and whether it’s encrypted? • If you receive a request from a data subject who wants to get a copy of all the data you hold on them and then have it deleted, could you do this within 30 days and free of charge? How would you be sure you’d found all their data? That’s the law from May. • What do you know about your Internet security? Do you have a firewall and malware protection? Is access to data protected eg by passworded accounts? • How can you be sure all your staff are using strong computer passwords? • If you sell or pass on an old computer no longer in use, what is your procedure to ensure there is no personal data accessible from that computer in future? • Do you use Paypal to receive payments? This company has restrictive data policies as part of its terms and conditions that imply customer information may be passed to third parties in a jurisdiction beyond the EU in a way which may not comply with GDPR.
- 2. Checklist • Inventory your data • Record who has access (online and paper) to the data • Check your data security – backups, online, network • Figure out who you need to “repermission” regarding their data by May 2018 • Do you need to appoint a data protection officer? (Probably not.) • Who is going to be responsible for data protection in the organization? • Revise direct marketing procedures • Revise website privacy and cookies policy • Revise your data protection procedures, including subject data access requests • Make everyone in the organization aware of the changes and how they can contribute • Keep checking for any changes coming up to May 2018 such as age for parental consent where children are involved. The longer version I have a 14-page version with action lists and templates available free of charge at https://www.slideshare.net/imogenbertin/gdpr-the-imo-guide-draft-2 This infographic from the gdprcoalition.ieis also helpful.