GDPR Compliance with Data Collection
GDPR applies to anybody who handles the personal data of European citizens and will supersede the current Data Protection Act on May 25th 2018. The new legislation gives individuals more say over what organisations can do with their data, with strict fines for non-compliance and breaches.
Does GDPR apply to your business?
If you are collecting data from EU citizens, including your own employees, then GDPR applies to you, even if you are based in a country outside the EU. If you are currently subject to the Data Protection Act, based around eight principles of good information handling, you will also need to be GDPR compliant.
When processing personal data, it will be necessary to determine whether you are acting as a data controller or data processor:
- Controller – determines how and why personal data is processed
- Processor – handles the technical processing of the data on the controllers behalf
The controller could be any commercial business, charity or government department and a processor could be any IT service provider – both need to abide by the GDPR.
GDPR – Key questions answered
Consent – The request for consent must be given in an easy to understand plain language and it must be in an easily accessible form, with the purpose for data processing attached to that consent. Consent has to be distinguishable from other matters such as using the service and must be freely given and be easy to withdraw, as easy as it was for a customer to give it.
Personal Data Definition – Personal data will mean any information relating to an identified or identifiable natural person. This will include unique identifiers, including: IP addresses and cookies (where they are used to uniquely identify the device). This makes cookie use subject to the same consent requirements.
Right to Access – The person, whose data you are collecting, has the right to obtain confirmation of whether personal data concerning them is being processed, where it is being processed and for what purposes. This must be provided free of charge unless the request is repetitive, excessive or unfounded.
Right to be Forgotten – The data subject can insist that the controller erase all personal data about them and stop the processing of it by third parties. The controller can object based on if there is public interest in the availability of the data.
Breach Notification – Breach Notification must be sent to the Information Commissioners Office (ICO) and must be done within 72 hours of becoming aware of the breach. The data subject must also be notified without undue delay if it is likely to result in risk to their rights and freedoms.
Privacy by Design – Data controllers must implement appropriate technical and organisational measures to meet the GDPR requirements; i.e. hold and process only data that is absolutely necessary for the completion of duties, and limit access to personal data to those doing the processing.
Data portability – The new regulation will give individuals the right to transfer their data from one controller to another. So organisations, on request, must be able to deliver a person’s data in a suitable format. Data collected via online surveys is immediately compliant with the data portability rule as it can be provided instantly without needing any further handling.
Data protection officers (DPO) – It will be required to appoint a DPO – who can either be a contractor, new hire or a member of the organisation’s staff. It is important to note that not all organisations are obliged to have a DPO, more information can be found in the A29 Guidance.
5 reasons GDPR compliance for data collection is important
- Penalties for breaching GDPR can result in strict fines.
- To prevent reputational harm to your brand.
- To take advantage of cost savings when collecting data from new markets.
- Generate value from stored data by removing old records.
- Streamline data protection rules to avoid room for error.
Consequences of not being GDPR compliant
Penalties for non-compliance of GDPR will be applicable to both data controllers and processors and will depend on certain factors, including;
- Duration of the infringement
- Quantity of the data subjects affected
- Level of impact
For serious violation of the regulations, penalties businesses could be fined up to 20 million euros or 4% of global turnover, whichever is higher?
Visit the ICO website for further updates and an overview of the General Data Protection Regulation (GDPR).