Posted by Malcolm Iliff, on 5th March 2018
A headline in a recent copy of the Financial Times read “Data rules catch out small businesses” and went on to ask the question “Are we prepared?”. It is perhaps a sad thing that we are surrounded on so many sides by a great crowd of bureaucratic regulations - but that is the reality of today’s business environment. Recently, I was asked to review a potential client’s existing website which had been in existence for some years. It would seem that the rules on what should appear on a site – set out as far back as 2006 in the European Directives were still not being complied with 12 years later. Does that mean we can flout the law or regulations with impunity? I would not advise it even if it is unlikely that someone will knock on your door and point out the shortcomings.
So what is needed to meet the GDPR regulations that come into effect in May this year. Having attended several seminars on the subject, I think one may be excused for being confused.
This is not a legal nor fully comprehensive summary of GDPR obligations but I would sum them up as organisations having:
- Recorded consent to hold personal data
- An obligation to keep personal data secure
- The means to allow the person concerned to know what data is held about them
- The means of removing (and confirming) that the data has been deleted if legitimately requested by that person
- Recorded processes to ensure that these activities are in place.
For some companies that hold large volumes of personal data, you should already be aware of what needs to be done and the maximum penalties that could be imposed in serious breaches. This blog is not for you – read the detailed regulations! For smaller companies the obligations should be common sense and not unduly onerous – but ignore them at your peril.
At one seminar we were told that GDPR does not apply to B to B situations and “communications between companies or within a signed-up-to B to B networking group (for example)” did not fall under the regulations. Reading the ICO guidelines, it refers over and over again to ‘personal data’. Bear that in mind whether you are communicating with or processing data about an individual or a company. However, one very key misunderstanding on the new regulations relates to existing data that one holds. The ICO is very clear. You are not required (and I quote) to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
Make sure someone in your organisation knows it is their designated responsibility to ensure compliance. From CBJ Digital’s perspective we want your website and data storage to be compliant. If you are unsure, get in touch. We are always glad to be of help. If you are doubtful about what someone said about GDPR obligations, then visit the ICO website and read it for yourself. It does not need to be difficult - it must not be ignored.