Understanding GDPR

August 31, 2019

What is GDPR?

The main aims of the EU’s General Data Protection Regulation are to ensure the personal data of European Union “Data subjects” is better protected and to increase the rights of EU data subjects over their personal data.

Under GDPR, a data subject is an EU citizen or other nations who are physically present in the EU at the time data are collected.

Any business or organization that offers services to EU data subjects that collects, processes or stores the personal data of EU data subjects have to comply with GDPR regardless of the location of that business or organization.

Personal Data under GDPR.

Personal data is considered to be any piece of information that contains an “Identifier” that can be used to identify a specific individual or group of individuals.

• Names (first, last, middle, maiden, etc.)
• Dates of birth
• Telephone numbers
• Addresses
• Photographs
• Audio/visual recordings of an individual
• Bank details
• Opinions
• Passport numbers
• Location data

Personal data pertains to a person, rather than a business or other organization,  which have their own set of data protection laws.

However, there are some exceptions such as with Anonymous data – Information that cannot easily be tied to a data subject – is not covered by GDPR. For example, if participants in a survey are grouped by county instead of a town, it makes them harder to identify as there may be several people with the same name in a county, but potentially only one in any particular town.

Under GDPR, personal data must only be stored for the time taken to achieve the purpose for which the data have been collected.

Entities storing data must carefully consider how long data must be kept and also how to dispose of that information securely once the purpose for which the information was collected has been achieved.

Special Types of Personal Data Defined under GDPR.

There are particular pieces of information that are particularly sensitive and could result in individuals coming to harm or being vulnerable in the event of a data breach.

These types of data are treated as ‘special categories’ of data under GDPR. if these special categories of data are collected or processed by an entity, greater levels of protection are required and extra levels of checks and justification for collecting and using those types of data are required, as detailed in GDPR Article 9.

Examples include the following: Race or ethnicity, religious or spiritual beliefs, political or philosophical leanings, trade union alliances, biological/genetic data, medical data, sexuality/gender identity.

Who is Covered by GDPR?

Broadly speaking, there are three categories of entities and individuals covered by GDPR. The first, the controller, is a government agency or organization that initiates the collection and processing of personal data.

The controller is the entity that collects and uses personal data or shares that information.

The second, processors, are those contracted by the controller to process personal data.

These are usually IT companies or third-party marketing companies, but the term “Data processor” can also relate to any software used to process data.

Apps used to collect or process personal data are also subject to GDPR compliance.

In many circumstances, the same organization can be both a data controller and a data processor.

Finally, there are the data subjects. These individuals retain the right to access their personal data, correct errors, and request the removal of information collected about them.

What is GDPR Data Processing?

Essentially, when GDPR refers to the processing of data, it means the handling, use, storage and destruction of information.

Processors and controllers are responsible for ensuring data security at every stage of its lifecycle.

In certain situations, individuals may request that their data is not processed, or that its processing is “Restricted”.

This is also known as “The right to object”.

It may be that the individual considers their information particularly sensitive, or has concerns about how their information will be used by an organization.

There are three instances when an individual has the right to object:

  1. Processing of data for scientific/ historical research
  2. Processing of data for direct marketing
  3. Processing that is based on profiling if such requests are upheld, it means that any collected data cannot be used.

In some instances, processing may be restricted for a certain period, after which the data can be used.

Exceptions to GDPR.

As can be expected, not every organization that operates within the EU must comply with GDPR. Such exemptions are outlined in Articles 85 and 91, although member states may apply for specific exemptions.

GDPR sets out to protect personal data, although doing so may mean contravening other GDPR rules.

If an individual poses a threat to the rights and freedoms of others, it is often the case their data is no longer protected under GDPR in the same way as data of other citizens.

Examples of when personal data may no longer be treated as such include:
1. Defense concerns Crime prevention
3. Financial security
4. Prosecution of a crime
5. Suspected tax evasion
6. Public health concerns  
7. Freedom of information Conversely, member states may wish to apply extra safeguards to citizens’ data.

Regardless of these extra measures, all GDPR requirements must be met.

Now that we’ve covered the basic concepts behind GDPR, we will now provide you with 10 tips that will help ensure your organization is compliant with GDP laws. And if you don’t want to go through the hassle yourself reach out to us and let us help you make your organization GDPR compliant.

The ten tips to becoming GDPR compliant are as follows:

1.Store all of the data you have your employees’ suppliers and customers in an organized fashion.

This is going to be helpful for two reasons. The first is that if a person asked your business what information do you have on me you want to be able to get all of that information to them as quickly as possible and as accurately as possible so make sure all the data you have is organized so you can do that. The second important reason is that if you were to ever be investigated by the GDPR you want to make sure that you’re showing that you know what data you have on everyone. So the store all data in an organized and easily accessible manner.

2. Ensure that data is safely secured.

So what measures have you got in place to make sure that nobody could leak hack or misplace that data? If you store in that data digitally what safety measures could you put in place? Could the information be out there in the cloud? Do you have antivirus software on all of your devices? If any of your devices were lost could you remotely wipe that data so nobody could access it? Start thinking of these things because you want to make sure your data is always in safe hands. Similarly, if you have hard copies of your data what are you doing with them and how are you keeping them protected? Can you make sure the data in them is secured safely? Are they locked away in a fireproof box? Are you making sure that no one could access that information? You also want to make sure you record in the risk assessment. So actually write down what safety measures you’ve implemented to make sure that data is safe. This is going to make sure everybody in your team knows exactly what’s happening. And should you ever be investigated you’re showing that you’ve already taken necessary precautions?

3. Don’t hold onto data unnecessarily.

You can’t hold onto data if you don’t know what you’re going to do with it. You need to be sure of why you’ve got someone’s name or email address so don’t hold on to data just in case it might become handy in the future.

4. Have a written fair processing policy.

This is something you’re likely to already have in the form of a privacy policy so it’s something you might be familiar with. It’s a document that clearly explains what data you’re going to be taking from people and how you’re going to be using it.
Every time somebody hands over a bit of data to you make sure that they have clear access to your fair process in notifying GDP. Ensure that this bad policy notice has no jargon and legally and lawfully bits in there that could be ambiguous. So start with a blank piece of paper and just in layman’s terms say what are you going to do with that information. Here are some questions to keep in mind. What information is being collected? Who is collecting it? How is it being collected? Why is it being collected? How is it going to be used? Who will it be shared with what will be the effect of this on the individuals concerned? And is the intended use likely to cause individuals to object or complain?

5. Information Transparency.

If somebody asks what information do you have on me, do you have a process that you can easily give that to them? So with the new law, you have to be able to supply people with what information you have on them. If they ask you have to supply this information within one month of them asking and you have to do it free of charge.
So make sure you’ve got a process in place so that you can quickly get all the information you have on them and send that over to them.

6. The right to be forgotten.

Have a process in place for if someone asks you to delete all that data you can. So if someone asked you to delete all the data you have to. That’s part of the new law so make sure you know where all of the information you have on them is so you can easily wipe that.

7. Consensual opt-in for marketing purposes.

Allow people to positively opt in to you having their data and using it for marketing purposes. So what does this mean? It means that if you’re going to use someone’s data for marketing they have to take some sort of action to say yes you can have my data. And yes you can use it for these reasons. That’s known as positively opt-in. It used to be the case that you would go into a website and there would be a pretext box that says yeah you can use my data for whatever. That’s not the case anymore.
People have to actively tick that box or take another action. Some good examples of getting people to positively opt-in are having a tick box next to a contact form that says yes you can use my data and someone has to take that all to have a double opt-in.
This is when an email comes straight to that inbox that says Click this button to be part of our mailing list or so that we can use your information for X Y and Z. If you’re collecting people’s information in person you can get them to sign something to say that they’re happy for you to use their data in this way. Or you could get them to tick a box that says I’m happy for you to do this whatever it is to make sure that someone has taken an action and you have evidence that they did that.

8. Layered opting form.

This is something the GDP has offset the fine with and something I like. So they look a little bit like this. This layered opt-in allows users to have easy access to understand their information and how it’s going to be used. It doesn’t look messy. Instead, they can click on a button and delve into more information if they’d like about how you’re going to use it.

9. Easy to opt-out.

If you’re using people’s information to send the markets to make it easy for them to opt-out of it. If you’re using emails you need to make sure people can unsubscribe.
Same with things like text messages and call services. Similarly, if you’re sending people to mail make sure that you’re writing in something at the bottom that tells them how they can stop receiving this mail. The information for opting out should be really clear and obvious. Don’t use any small print. Also, make sure you have a really strict policy on how you’re going to make sure someone that opted out doesn’t get any more marketing materials from you. This is where you could fall short to GDP law and get reported and that’s when the 20 million euro fines are going to come knocking at your door which you don’t want. So you’d need that policy. If someone doesn’t want to receive anything anymore make sure everyone in your team knows that and then no longer receive it.

10. Make sure all your team knows about the new GDP laws.

You should train your employees on everything we’ve spoken about today because it’s just as important that they do it so your whole business isn’t liable. I would also appoint you or someone in your team to be the data protection officer. This means that a person is responsible for enforcing all the tips we’ve spoken about today. Giving one-person total responsibility for the implementation of these laws means that these tips are much more likely to get enforced because of checks and balances in your business.

We hope this article was informative and has provided you with a better understanding of GDPR and how your organization can become more compliant. After working with several different clients we understand how complicated this entire process can be especially if you are a new business who is just starting in the EU. So, if you are still feeling confused and overwhelmed you should reach out to us. And, we will ensure your business is GDPR compliant. We provide a free 60-minute  consultation.

Increase the effectivness of your business
Ask for a quote or an introduction
Contact us