The deadline for complying with GDPR, 25th May 2018, has now arrived. You either deserve a pat on the back for getting your affairs in order in time, or a strong reminder about the maximum penalty for non-compliance (4% of turnover or 20 million euro, whichever is higher).
As we all recover from the deluge of emails asking us to agree to revised terms and resubscribe to mailing lists we previously (apparently) signed up to, it's time to take stock of the EU's General Data Protection Regulation in particular and data privacy in general.
Making the required changes to data practice, processing and policy for GDPR has undoubtedly been a headache and an unwanted expense for many. It's a big and not very exciting subject, and there are no easy answers about what the right course of action is. In most cases, it's a judgement call. For small companies, organisations, groups and individuals struggling to understand all the information flying around, it has been a bewildering, daunting and scary process.
In its defence, GDPR is a Good Thing for all of us as EU (and in future, UK) citizens. It's world-leading legislation which safeguards the personal data of millions of individuals. Pity the people of other countries who have no legal recourse to find out what is stored about them, or to have that data removed, changed or even prevent it being sold on to other companies. In the EU, we now have extensive access and rights to our own data, and companies who don't comply will face penalties big enough to make them take notice.
Admittedly, the main targets of GDPR are big corporations; not just social media giants like Facebook (which was recently implicated in a massive data "breach") but also banks and credit card companies, government organisations, email providers etc. The burden is now on these behemoths to make sure their systems are secure and robust in the first place, limit the amount of data they collect, respect the wishes of their data subjects, and in case of a breach, let authorities and affected people know promptly.
However, the point of GDPR has always been to take personal data seriously, and that's something we all need to take responsibility for. If you ask people to trust you with their personal data, however trivial it might seem to you, it is your responsibility to make sure it's safeguarded and well-managed. There is no excuse for sending out group emails to people who don't know each other without the BCC'ing the recipients - we all know that's bad etiquette at best and damaging at worst. Data protection for your website (or any other system you use) is simply about taking a similar level of care for any data that's stored there.
What next? Once the dust has settled on immediate compliance with GDPR, data protection should become embedded as an ongoing process of checking and review. If you have a Data Protection Officer this will be their primary responsibility, but even if you don't you should consider doing some of the following. Schedule time every year or as required to review:
- privacy or data handling policies:
- are you still only collecting the minimum data you need?
- have the reasons for collecting it changed?
- do you still need it for the same length of time?
- is it clear and easy for people to understand how they can exercise their rights concerning their data?
- who has access:
- does everyone who has access to data still need it?
- do the people who receive data access requests understand how to respond to them?
- do you need a Data Protection Officer?
- legal side:
- do you need to revise your data agreements, either as a Data Controller or Data Processor?
- do you need to register with the ICO as a Data Controller? You can complete this short ICO questionnaire to see if you should be registered.
- data housekeeping:
- delete any types of data which you no longer require
- delete any data older than the length of time your data policy says you will keep it for
- overall system security:
- is it time to change login passwords?
- are your systems up-to-date with all security updates applied?
There are some slightly opaque terms in GDPR to get to grips with, but overall data security and privacy is just plain common sense. It's always a good idea to take stock and consider - both as individuals sharing personal data and as companies collecting and processing it - and that's just what GDPR asks us to do.
The EU legislation has been a wake-up call to a number of companies who were getting very good at gleaning every last bit of information from us without our permission, and probably a number who never really considered what they were storing and who had access to it.
There will be those who don't comply with the new law, just as there will be future data breaches both malicious and accidental. Hopefully, though, we're all be a little smarter about what we give away and how we can take control of our data.