For those of you unaware of just how much sensitive data is transmitted over the World Wide Web on a daily basis, it is high time you read up about what the GDPR actually consists of (instead of just spamming the ‘Accept All’ button each time you enter a website).
‘Yeah, but it’s so dry and boring’.
Trust me, I know. In fact, it is especially menial for small businesses owners with meagre budgets and virtually no resources. The other possibility, however, is potential exposure to eye-watering fines (ca. 4% of your annual turnover), which makes doing your homework just that bit more attractive.
Disclaimer - I am not an expert
As you may have noticed already, this article seeks to entertain as much as it does to inform. If you want the hard facts about GDPR (I highly recommend this!), then please refer to this quick and painless video:
Any good writer relies on watertight sources. In the interests of transparency I will state for the record the sources I have used here:
- ‘A guide to the data protection principles’ - ICO
- ‘What are the 7 principles of the GDPR?’ - Privacy Kitchen via Keepabl
The 7 Principles of the UK GDPR
1. “Lawfulness, fairness & transparency”
Lawfulness of processing is primarily concerned with having a legal basis, of which there are 6 fundamental types. Identifying your legal basis can be tricky, so go steady with this. Legal Kitchen comes to the rescue here once again with some simple guidance.
Fairness means that data shouldn’t be processed in a way that is unexpected based on the stated purposes. Imagine your mate asking to look at your Pokemon cards and then handing them off to a stranger - so out of order! For example, if you were to submit your email address to the local baton-twirling society, and the next day your email inbox was flooded with emails from yo-yo enthusiasts, then you know that the baton-twirlers are not handling your data fairly!
Transparency stipulates that you should be clear about what data you need, and how it will be stored (i.e: in a computer database), such that a consumer can understand the complete timeline of what will happen to their personal information.
We are talking about transparency, not invisibility here - Harry’s Cloak of Invisibility won’t help us comply with GDPR (but would still be super fun).
2. “Specified, explicit and legitimate purposes”
Legitimate purpose is pretty straighforward - tell the data subjects exactly what you are going to do with their data, and only do the stated thing. If you were going to use their name and email address to sign up for newsletter don’t register them for a hamster racing derby instead.
getting consent to data processing from your customers (a.k.a: data subjects). Make sure that you get an explicit confirmation from the customer that they accept your terms. Do you remember the ‘Tea and Consent’ video from back in 2015? Oh, hum, complicated example…
If you collect data from people you need to prove that you need the data for specific purposes (which you are able to spell out to them). Explicitly stating the reason why you are collecting the data from them should typically cover most of the rationale.
3. “Adequate, relevant and limited to what is necessary”
Data Minimisation, according to the ICO’s guidance, is about paring down the range of data you collect.
This starts by examining any milestones within your business process timeline where you expect to collect data from a prospective or existing customer, subsequently performing analyis about which data data is absolutely necessary to collect to ensure the proper functioning of that business process. In other words:
…to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
For instance, if a customer initiates a request to sign up to an email newsletter, strictly speaking only an email address is required in order to complete the operation. In many cases, companies request additional information to this, such as surname/forname, phone number and more, but to follow the GDPR directive for relevancy, such appeals for further context should be supplied on a purely voluntary basis (that doesn’t usually stop more audacious businesses from trying it on, however!).
Crafting your Privacy notice
Even if you are doing the right thing with your data-handling practises, it is essential that you publish a formal document to the public outlining any policies and practises you have in handling PII (Personally Identifiable Information), such that when external person/s interact with your business, you have verifiable means of consent with regard to your relationship to their personal data.
Here, once again, the ICO’s office comes to the rescue with concrete guidance about how to write a privacy notice and what areas it should include.
Knowing how to tackle the GDPR
It’s natural to feel nervous about GDPR compliance - it’s a complicated landscape of legislation spanning a wide array of areas within business operations and requires detailed attention to understand.
When learning about topics within the GDPR It’s good to set aside dedicated study time solely for the purpose of learning about and understanding the fundamental principles of the regulations.
To this end, the ICO provides a whole host of resoures for organisations, which proceed through each aspect of the regulations in turn.