The General Data Protection
Regulation (GDPR) comes into force on the 25th of this month.
Under the Regulation, businesses
have a duty to keep individuals informed about the use of their personal data
and about their legal rights concerning that data.
Your Privacy Policy
If you have a privacy policy on
your website and you have not yet updated it in line with GDPR, you will need
to move quickly. Changes will need to be made to the policy in respect of
making it clear how personal data is being collected through your website and
how cookies are being used to track behaviour whilst they navigate your pages.
In addition, if you are doing
business offline, which most businesses do in addition to online trading, you
will need to be aware that GDPR and its information requirements apply in just
the same way.
The right to be informed is one
of the key parts of GDPR. This means that if you deal with consumers, you will
need to inform them of the following:
- What personal data you hold about them
- What you use the data for
- The grounds for using the data
- How long you will hold the data
- Whether you intend to share the data, and with whom
You will also need to provide
people with information about people’s rights, including the right of access
and the right to withdraw consent, if that applies.
If you collect personal data
directly from consumers, you should be informing them of all this at the time
of collecting the data. If you collect the data through a third party, then you
must inform the data subjects either when you first communicate with them;
within a month or when you disclose the data to someone else, whichever occurs
first.
You will need a privacy notice
ready to provide to consumers. This notice will need to set out the required
information in an easy to follow, user-friendly way. It will need to be
designed specifically for use in situations where data is being collected
offline rather than online through a website. This might be for example point
of sale.
Your Data Protection Policy
If you already have a data
protection policy then you will need to update it in line with GDPR. If you
don’t already have one, now is the time to get one drafted.
It is vital that your entire
organisation is aware of the rules involved in GDPR and how they should be
handling personal data now that things have changed. Without a data protection
policy, you have no proof that you have made any attempt to install procedures
within your business for protecting personal data in line with the new
Regulation.
Remember, we have discussed this
before: fines for breaches of this Regulation are substantial to the point
where they could devastate a business.
Time to Take Advice?
If you have not yet brought your
business up to speed in readiness for GDPR, you really do need to get moving.
Getting your policies in order is absolutely crucial if you are going to remain
compliant, so either consult a lawyer or look online for good quality policy
templates that you can adapt to your specific business needs.
