The law on data protection is changing. Make sure you’re up to date with our guide to the essential facts
You might not be aware of it, but the law on data protection for all EU citizens is changing. The legislation is particularly significant for any business that gathers, stores and shares any type of personal data.
To help you avoid the potential pitfalls involved, we’ve put together this blog post to give you the essential facts, and most importantly, advice on how to move forward under the new laws. We advise that you can protect yourself and others by becoming as informed and prepared for the change as possible.
So, what is this new law called?
The General Data Protection Regulation (GDPR) is a new law that will replace the current 1995 EU Data Protection Directive and will come into action on the 25th of May 2018.
According to the legislation, it applies to ‘controllers’ (people who essentially determine the purposes of processing personal data) and to ‘processors’ (those individuals who are responsible for processing any personal data).
Why the change?
The GDPR is aimed at improving data protection for everyone within the EU and will hopefully improve the way organisations use data, as well as increasing the security of any personal data.
It has two goals, namely to:
- Establish one single set of data protection rules across the EU
- Give individuals better control over their personal data
The GDPR has several main principles and has been designed largely to ensure that organisations:
- Obtain and process personal data fairly
- Keep and process data only for a specific purpose
- Keep data secure and up-to-date
- Retain data for as long as needed, then safely delete it
- Provide a copy of all data (on request)
The GDPR applies to personal information such as names, email addresses, ID numbers, physical addresses, as well as online identifiers like IP addresses or cookies.
Why is online data protection important? What would happen if it was unregulated?
We’ve all had texts, phone calls and emails that we didn’t expect, or even want from third party organisations. Take a moment to imagine those times a hundred. If any organisation could take your details and send you whatever they wanted when they wanted, you wouldn’t be able to move for all the spam you would be inundated with.
And if you wouldn’t give a complete stranger one of your most treasured possessions to look after, why would you give them your personal details? How would you know that you could trust them not to give these to another organisation (cue more spam) or worse, what if they didn’t have the proper security to keep your details safe? Cyber crime and identity fraud pose a substantial threat to businesses and institutions such as banks and hospitals. There can be very serious ramifications from personal details being compromised, especially where finances are concerned.
Like it or not, with the rise in mobile technology, banking systems, email communications, social media and so much more, all citizens have a digital footprint which needs to be protected.
Which rules apply now?
There are a few key rules to GDPR. These are mainly to do with notice and consent, access to, modification and the deletion of data, as well as limits on data retention, security and data breaches. Here’s a look at a few:
- Notice and consent
The GDPR dictates that when collecting personal data, you must explain why you’re doing this and for what purpose the data will be used. You’ll need to show that you have the right to access the data in the first place and that you have the right to modify or erase it. You’ll also need to demonstrate that you have processes in place, should someone withdraw their consent, as well as a defined data retention period.
In order to stay within the law, when collecting and using personal data, it is essential that you receive affirmative consent from an individual, track how and when that consent was obtained and also offer any individuals the ability to withdraw this. Fortunately, most data and email management platforms offer this functionality and we expect to see these features continue to improve across the board in the coming months.
- Access, modification and deletion
The person that the information is about has the right to ask you for access to their personal data and to modify or delete it if it is incorrect, although sometimes it is possible for an organisation to say no to deleting information if the data is contractually or legally required.
- Limits on retention
If you receive an ‘absence deletion request’ or a withdrawal of consent you are not allowed to continue to use an individual’s information. Similarly, you cannot keep data forever. If there is no longer an appropriate business case for storing or processing it, it will have to be deleted.
- Security and data breaches
In order to avoid security and data breaches it is critical that you implement appropriate security measures like making any data anonymous, encrypting it and doing regular system tests. You’ll also need to show that you have controls for data confidentiality and system resilience. If there is a security breach then you are required to send out a breach notification within 72 hours.
What should I be doing now to prepare for the new law?
- The first thing you should do is find out whether the GDPR is relevant to you and your business. The GDPR applies to any company that controls or processes personal data of EU citizens. You’ll need to consider whether you market products to EU citizens or monitor the behaviour of EU citizens. It’s important to remember that the location of your company doesn’t matter...as long as your customers are EU citizens, the GDPR still applies to you.
- The second thing you should do is look at your contact database and think about what personal data is stored in it. How do you collect contact data? What is your legal basis for controlling or processing any contact data? If you use inbound marketing, you’ll need to make sure you don’t have any purchased lists and that you have active engagement with all of your prospects and customers.
- Next, you should improve your notice and consent for storing data. Consider how you’re capturing this. Do you use a blank checkbox to establish it? Have you mapped all sources of personal data? And what information do you provide to prospects before they give you their details?
- You’ll need to evaluate how and where you store and share personal data, what personal data you have and with whom you share it. Do you document your processing activity, the purpose of your processing and where the data is stored? Vitally, what security measures do you have in place to protect the data you store and share?
- The last thing you should do is figure out your retention policy. By this, we mean that you should think about when you no longer have a lawful basis to continue processing data. Do you even have a policy in place for retention and deletion of data?
Don’t delay on making the change
Here at Yello Veedub, we’ve begun to update our internal processes to fit with the new legislation. It pays to give yourself plenty of time, just in case you come across anything unexpected, or should anything take longer to implement than you initially anticipate. For this reason, we definitely recommend that all businesses who will be affected by the GDPR should review their data systems and processes act sooner rather than later.
Our advice? If the law applies to you and how you run your business, act now to update all your internal policies so that you’re well prepared by the time May comes around. We hope that this post has made things a bit clearer, but if you have any questions please be sure to contact us, we are always here to help.
WHAT THIS MEANS FOR DENTAL PRACTICES
As a CQC registered dental professional it is likely that you already comply with many of the changes required under the new GDPR law, as there are key similarities between this and the CQC’s recommended practice for dental care records, the guidelines to which advise following both the FGDP Guidelines and GDC Standards.
Despite this, we would advise that you follow our useful checklist to ensure that your practice is most definitely up to speed with the General Data Protection Regulation:
- Ensure you have client’s consent - there is a clear requirement in the GDPR to offer people choice and control over how their data is used, depending on the situation.
When it comes to consent for email newsletters and similar correspondence, you must:
- Have a clear and specific consent statement with the indication to give consent must be unambiguous
- Never pre-tick boxes, this is called ‘positive opt-in’
- Make it easy and clear how your client can withdraw their consent at any time
- Keep evidence of consent, including who, when, how, and what you agreed
- Review and refresh the consent process when needed
- Understand your obligation to protect against and report breaches of data. To avoid potential breaches of data, consider:
- Where you store information on clients - mobiles, tablets and personal computers may be susceptible to ‘ransomware attacks’
- If you are taking photographs of clients’ treatments, should you have a dedicated practice camera? Rather than storing on personal cameras or mobiles.
We suggest you complete a Privacy Impact Assessment (PIA) to help your practice to identify the most effective way to comply with the obligations of the GDPR, include how to address each identified risk and whether that will mean reducing or eliminating the risk. As the BDA recommends, whilst waiting for the detail of the GDPR, practices should “consider what information they hold on people, what they use this information for, and where and how it is stored.” By better understanding how you are currently using and storing data, you will be better equipped to make any necessary changes when the GDPR comes into place in May 2018.