The General Data Protection Regulation (GDPR), an EU wide regulation, is concerned with personal data for living persons only. Its overall aim is to provide protection for EU citizens in a digital age through the provision of stronger rights. It also applies to activities outside of the EU if they concern a citizen from that area. Brexit will not affect its introduction into the UK as the government is proceeding apace with it.
On May 25th, 2018, GDPR, will come in to force. The regulation follows a two-year preparation period, following its adoption on 27th April 2016 and the purpose is to update the UK’s existing Data Protection Act of 1998.
Once the new regulation comes into place, different industries will be affected in different ways. Some, indeed most, capture data for a contractual or legally impelled reason and would therefore be unable to provide products and services without capturing personal data. Marketing is one sector that is most vulnerable.
Thomas Hayes, GDPR Consultant, explains “Having efficient records management and flexible Business Intelligence Tools, underpinned by effective processes will produce realisable benefits on an ongoing basis. It will provide a competitive advantage to those who can demonstrate that they understand and have the customers’ interests at the heart of their operations. Do not fear GDPR – accept it as an opportunity”.
There are a number of factors to be considered if you wish to ensure compliance. Firstly, effective records management is essential. Without a firm control over the (customer’s) data you will find it difficult to meet the requirements. That is knowing exactly where it is and keeping it accurate.
Secondly, you need to firmly grasp the principle that it is not your data. It is the customer’s and they are only allowing you to process it for the reason that is explicitly consented to, and for the purpose that they intended. Therefore, an understanding and documentation of why you need this data, and for what purpose is required. It is also important to treat the data as securely as possible. The customer has a right to know what you hold and can ask for this to be reported to him or her, and for it to be corrected if need be.
The best method to ensure compliance, is to have a fully mapped out process of data as it flows in and out of the organisation. This tracks the data from capture, through maintenance and completion. A records retention schedule that defines how long you wish to keep data is required. Some may need to be kept for an amount of time stipulated by others, for example, HMRC.