The EU General Data Protection Regulation (GDPR) lays down strict rules about collecting, storing and using personal information about customers and staff. Failure to follow the rules could mean a fine of up to 4% of your annual global turnover or €20m, whichever is greater. Here, we look at your obligations
Personal data refers to any information you have about your customers and staff - from address details to opinions about your products and services. In essence, it is any data from which an individual can be identified and, under the GDPR, includes a wider array of information than before, including online identifiers like IP addresses and even some pseudonymised data. Whatever you use personal data for, you must comply with the GDPR, which attempts to protect the privacy of individuals while enabling businesses and other organisations to operate effectively.
"It's important to ensure that an individual's privacy is protected as soon as their information is received," says Peter Driscoll, ex chair of the National Association of Data Protection Officers. "And you must only use the information for the purposes you said you would use it for. If you tell someone their information will be used to pay their account, you should not use it for market research."
Basic data protection requirements
Any data you gather must be accurate, kept up to date and deleted (or otherwise disposed of) when you no longer need it. If it is sensitive information (called 'special category data' in the GDPR) that relates to ethnic origin, trade union membership, personal beliefs, biometric ID information, genetics, health and so on, you must comply with stricter requirements to use it.
The requirement to notify the Information Commissioner's Office (ICO) of your processing no longer applies under the GDPR, but many organisations using personal data will still be required to pay a fee to the ICO.
"The collection and use of personal information has to be 'fair'," explains ICO spokesman Phil Jones. The GDPR requires that personal data is:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further used in any way that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary for the purpose(s) it is used;
- Accurate and kept up-to-date;
- Retained for no longer than necessary in light of the purpose(s) for which it was originally collected; and
- Used in a secure manner, protected against accidental loss, destruction or damage, and against unauthorised or unlawful processing.
The GDPR requires some organisations to appoint a data protection officer (DPO). Even if your organisation is not legally required to appoint one, a DPO can be very helpful in ensuring that you comply correctly with your obligations.
DPOs can be appointed internally, or the work can be contracted out. The job of a DPO is to monitor your organisation's compliance with the GDPR, ensuring that everyone is informed of the relevant obligations under the law and, in particular, advising on the use of personal data, for example, in new projects.
DPOs must be independent and their other duties (if any) should not conflict with their post as DPO. DPOs report only to the highest management level within an organisation.
Data security
Any personal information you store on computers or in paper files must only be accessible by people with permission to see it. You cannot pass it to other organisations unless you have permission or a just cause, such as giving staff details to a payroll bureau. The transfer of personal data to others for any kind of processing must also be governed by a contract.
"I would recommend you seek advice from an expert," advises Driscoll. "But there are some things you can do yourself, such as set up passwords for each computer user in your firm, and password-protect files that contain sensitive information."
Paper files are also covered by the GDPR and should be kept under lock and key or stored securely off site. You should also make sure your staff know they must not discuss information about customers with people who are not allowed to access it.
In addition to having policies and procedures in place, it may be worth considering training and other methods of raising awareness of data protection for relevant staff. If you have a DPO, this should be one of their responsibilities.
Staff and customers' data rights
Individuals have a number of rights under the GDPR. They must be informed about your use of their data - what you do with it, how long it will be retained, who it will be shared with, and soon. Other key rights include the right to have incorrect data corrected and rights to object to or restrict your processing of personal data (eg to prevent direct marketing).
Customers and other individuals have the right to see any information you hold about them. Most requests must be handled free-of-charge (particularly onerous or repetitive ones may be charged for in some cases, but only to cover the actual costs incurred) and you are required to respond within one month in most cases.
Staff, too, are allowed to view their personal files, including documents relating to disciplinary matters. You are not allowed to pass information about an employee to anyone unless you have their consent. If either customers or staff feel you are in breach of the GDPR, they can complain to the ICO.
- The ICO offers a useful data protection self-assessment tool and guide to the GDPR.