New Years UK 2020 Honours GDPR nightmare – make sure you are GDPR compliant
Are You GDPR Compliant?
There’s never a better time than the start of a new year (2020) and a new decade to review your business and ensure you are doing things correctly, especially checking you are GDPR compliant.
We have all come to realise the magnitude of data breaches and the repercussions, from the UK’s 2020 New Year’s Honour’s data breach, with personal addresses being accidentally leaked via a spreadsheet online for everyone to see.
Therefore there is no better time than now to make sure you are GDPR compliant and that you have robust systems and processes in place to ensure you are not only dealing with personal data correctly, but you are storing it securely and you are also receiving explicit consent to hold personal data.
As we know from this recent New Year Honours nightmare, ensuring you understand your obligations to GDPR, that your processes are thorough, that the way you handle personal data is secure and rigorously followed to avoid leaks, breaches and accidentally mistakes is an absolute must.
Sadly, there are many ways in which GDPR breaches can take place where a person or organisation can be held accountable for a data breach or non-compliance:
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
Processing Personal Data
If your business processes personal data, to be GDPR compliant, you must provide “data subjects” with information explaining how and why you are holding and processing their data. This is can be achieved via a Data Privacy Policy. This is also required when obtaining email addresses via digital marketing. Personal data also applies to information kept on staff, customers and account holders, subscribers etc.
A “data subject” is any person whose personal data is being collected, held or processed. As a result, anyone becomes at some point a data subject – whether they are applying for a job, booking a flight, using their credit card or just browsing the internet, they disclose some personal data.
However, from 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to be part of the data protection register with them and pay a data protection fee to the ICO unless they are exempt.
What is personal data
Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
Why do you need a data privacy policy?
Privacy policies provide documented proof of a business’s data processing activities and illustrates your GDPR compliant activities. This helps you justify your processing if someone raises a concern, complaint or make a subject access request. Privacy policies can also help you win business, as they prove that you take information security seriously.
Having undertaken some research regarding GDPR for micro and small businesses in the UK, I have come across a few useful resources and links for relevant GDPR information and documents:
Add a Comment