Menu

General Data Protection Regulations advice

General Data Protection Regulations (GDPR) came into effect on 25th May 2018 and replaced the Data Protection Act.

This will affect every business that handles customer information, how they process it, how they gain consent and how they keep it safe. Here is some information to help you prepare your business for GDPR.

This information is intended for guidance; only the courts can give an authoritative interpretation of the law

Definitions

Personal data is 'any information relating to an identified or identifiable natural person. This includes someone's:

  • name
  • address
  • date of birth
  • telephone number
  • email address
  • photograph.

A data controller decides what will be done with the data. Read the GDPR checklist for data controllers.

A data processor is responsible for processing the data for the controller. Read the GDPR checklist for data processors.

Information Commissioners Office (ICO) is an independent authority who uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Visit the ICO website.

The musts under GDPR

Tell your customers how you will use their information (data)

For example, if you keep your customers name, address, email and telephone number to send them a reminder about their annual central heating service, make sure you clearly inform them of this.

Visit ICO website to learn about lawful basis for processing.

Tell your customer who you share their information (data) with

For example, if you do not, ever give your customer details to anyone else, tell them that you do not share their data but if you do then you must tell them who you share it with and why.

Visit ICO website to learn about the right to be informed.

Make sure you have their agreement to process their information (data)

For example, you must have a lawful reason to process your customers data and clearly state this in your privacy notice. A lawful basis means that collecting processing is ‘necessary’, if it isn’t necessary, then it won’t be lawful.

Visit ICO website to learn about lawful basis for processing and special category data.

You must show how you got their agreement and what was agreed

Consent requires a positive opt-in, don’t use pre-ticked boxes or any other method of default consent and you must keep evidence of consent – who, when, how, and what you told people.

Visit ICO website to learn about consent.

Individuals have the right to access their personal data and you must allow your customers to ask for their information to be deleted

This is often called ‘the right to be forgotten’.

Visit ICO website to learn about the right to erasure.

You cannot charge a fee when your customers ask what information you have on them and you must reply, in most cases, within one month

Visit ICO website to learn about the right to access.

You are responsible for making sure your customers’ information is safe – you must take reasonable steps to prevent theft and access

For example, storing data in a notebook, phone or tablet represents a risk because the personal data for which you are responsible could be stolen, lost or hacked. Equally if you store data in the cloud, the data leaves your network and is processed in systems managed by your cloud provider. You therefore need to assess the security measures that the cloud provider has in place to ensure that they are appropriate.

Visit ICO website to learn about security.

If you lose your customers’ information or your systems are hacked you must tell the ICO within 72 hours as well as the customer whose information has been lost or stolen

Visit ICO website to learn about data breaches.

If you process the data of children, you will need to obtain consent from the parents or guardians

Visit ICO website to learn about processing children's data.

Pay €20 million or 4% of global turnover for a breach of the GDPR

If you fail to notify the ICO of a breach it can result in a fine of up to €10 million or 2% of your global turnover.

Next steps for your business

Once you've read the above you should:

  • Carry out an audit of what data your business holds on its customers.
  • Delete any unnecessary data.
  • Don’t store data for any longer than necessary.
  • Ask yourself, do you use subcontractors and share personal data with them?
  • Not forget to consider the risks in sharing data and make sure any contractors (as a data processor) are storing the data securely.
  • Assess any potential risks to the data, for example customer credit card details could be vulnerable if your system is hacked, or if you lose your smart phone where personal data is stored.
  • Review your security.

Resources to help you

Visit: