GDPR UNIQUEULOGY. Hello. If you re working in the funeral sector, this is what you need to know about the General Data Protection Regulations

Transcription

1

2 UNIQUEULOGY GDPR If you re working in the funeral sector, this is what you need to know about the General Data Protection Regulations Hello. Celebrants, funeral directors, florists, coffin-makers, caterers... this new regulation affects everyone who handles personal data, not just us. We re all familiar with the Data Protection Act (or we should be). We must keep people s details safe. However, on 25th May 2018, the EU s new General Data Protection Rules come into force and that means we have some work to do. So let s tackle it in three stages: Understand what s changing Know what you have to do See how you can get ahead of the game. Grab a coffee. Let s dig in...

3 Understand what s changing Britain may be leaving the EU, but every business in the UK will still have to comply with the incoming General Data Protection Regulations (the GDPR). Large organisations will see a big impact on their businesses (think Co-operative Funeralcare), but smaller businesses should find the changes easier to handle. In short, with the old Data Protection Directive, each EU member state could decide for itself how a business should protect people s data. But with the General Data Protection Regulations (the GDPR), everything s set out for us ~ we will all have to do the same things, the same way. The GDPR will force all of us to be consistently compliant in the way we process (keep, protect, handle) EU citizens personal data. The biggest change is to consent After May 25th 2018, we ll all have to have explicit consent to contact people. Implied consent won t be enough. Just because we communicate with someone now, that doesn t mean we can contact them in the future if we don t have a record of their implicit consent. It won t be enough to say, but those guys have already opted-in to my newsletter? Everyone we contact and everyone whose details we hold will have to have explicitly said that we may still contact them. We ll need an official record of that consent, too. This covers customers, newsletter subscribers, suppliers, anyone whose personal data we collect or hold. We re leaving the EU. All of my customers are in the UK ~ so what s the big deal? The UK helped to create this regulation. It s % likely we ll adopt it post-brexit.

4 But this can t mean we ll have to contact EVERYONE we know AGAIN, just to get their consent to hold their details or maybe contact them in the future can it? Um, that s exactly what this means. And there s more... It s all about being proactive The changes mean we won t be allowed to get in touch or carry on with a working relationship with any of our contacts unless they specifically opt-in to receive communications from us ~ that s customers, and suppliers, and prospective contacts alike. Silence or inactivity won t count as consent. A pre-ticked box won t count as consent. The fact we ve known someone for 20 years won t count as consent. Consent to communicate with someone will only count if it s an affirmative action that a person or person representing a business actively takes. Everyone will have to say yes again, before we can use their details again. What s more, we ll have to confirm the people we d like to contact really are who they say they are I m not making this up, I promise which is known as a double opt-in. (Don t panic: this is the please click on the link in the we ve just sent you process you ve been seeing recently.) Legal definitions Consent: freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Personal data: any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

5 Know what you have to do You may find that much of this comes under the heading, we already do that. But after May 25th 2018 we ll all need to be in a position where we must prove we have processes in place that will help us meet the GDPR s expectations. We can tackle this in 12 parts: 1 ~ make sure everyone who needs to know, does know about the GDPR The EU GDPR is coming into force on May 25th Make sure everyone in your business knows that you ll need to assess and meet the expectations of these new regulations. 2 ~ confirm if the GDPR will affect you (it probably does) Businesses will have to be capable of showing how they re complying with the data protection principles. Work out whether or not you hold any personal data in our industry, you probably do where it s come from, how you ve collected it, what you re doing with it, why you need it, and who you share it with at the moment. 3 ~ update notices you re using in your business that say you collect people s personal data You ll have to give people more information when you collect or want to hold their personal data. Look at your privacy notices and policies now, and work out which ones need updating. 4 ~ understand what individuals updated rights will be under the GDPR Individuals will have the rights to:- access the information you re holding about them; get you to correct mistakes; move their data from you to someone else, with ease; prevent direct marketing; prevent automatic decisionmaking and profiling; and get you to delete information (the right to be forgotten ). Review privacy and data protection procedures you ve got in place now, to make sure they stand up to the GDPR s new format..

6 5 ~ update the procedures you have for handling requests to access personal data 8 ~ make sure that you know how you would handle data breaches You ll have to respond within one month (it was 40 days), you can t charge fees to release data and and individuals may ask for extra information. Review and update your current procedures for handling requests to access personal data. 6 ~ document why you re processing personal data in the first place The legal basis for processing will have to be explained in privacy notices and in response to requests for acces to personal data. Review what you re doing in terms of data processing now. Identify and document the reasons why do it. 7 ~ put explicit consent procedures into place right across your business Consent must be freely given, specific, informed, and unambiguous. Recording that consent will be important; you ll have to prove that consent was given. Review how you ask for, get, and record consent from people. The GDPR is increasing the number of businesses that have to notify the Information Commisioner s Office (ICO) and private individuals of data breaches. Failure to comply may lead to a fine by the ICO it s a big one. It won t be enough to have policies in place that try to protect data. You must have procedures that detect, investigate, and report back if something goes wrong with the way you hold personal data. Are there are big fines for not doing this properly? Yes. Up to 20 million or 4% of global annual turnover. 9 ~ update your procedures concerning the collection of children s data You ll need parental or guardian consent to process personal data of children (anyone under 13 in the UK). Consent must be verifiable and written in child-friendly language Create and put in place new practices for (i) verifying the age of individuals and (ii) getting parental or guardian consent when you re processing the data of children.

7 ~ if it s appropriate, nominate a Data Protection Officer 10 Public authorities and large businesses will have to appoint a Data Protection Officer (DPO) who be responsible for being compliant. If you re a large organisation, the chances are you already have a Data Protection Officer in place. Even if you re not, it makes sense to decide on one person who ll be responsible for making sure you re compliant with the new legislation. ~ understand what will happen if there s a problem 12 The GDPR put a system into place to work out which authority takes the lead if there s a complaint against you from someone in the EU. You need to decide which authority would take the lead if you had a problem (probably the Information Commissioner s Office), and make that clear in your data policies. 11 ~ put data protection by design into place; and decide if DPIAs are necessary Organisations must take a privacy by design approach to business including data protection in the design of new systems and in some situations you must do Data Protection Impact Assessments (DPIAs). Know if DPIAs should be used in your business (don t panic - there s a long and comprehensive list on the last page or so), work out who should be involved and what you need to do; and when you re desgining a new system (say, a customer data base), you have to make data protection a part of your specifications. Cookies, right? Yup. We can t assume consent has been given automatically any more, so our websites will have to turn website cookies off by default. We can only start tracking or collecting details after visitors have explicitly agreed we can.

8 See how you can get ahead of the game Start the opt-in process now Start sending opt-ins now. Explain that customers, suppliers and subscribers have to confirm they d like to carry on getting communications from you. Include simple messages in contracts and invoices (doing this electronically helps you to start building up provable records). Follow up if people ignore you ~ make it clear they ll be missing out on essential communications if they don t opt-in ~ but respect their choices if they decline. Many big businesses are having a (what s the proper term?) a total wobbly about the GDPR, because it means they won t be allowed to mass-market. No. More. Spam. That s the theory, anyway. If you re a big business there s clearly a downside to that. But the upside - for all of us - is that databases will be cleaner, which brings down the costs of communicating. And for individuals? For customers? It means we ll all get the information we want from a company, not the junkmail we don t. Make your opt-ins are up to scratch Get ahead now. To be compliant with the GDPR, your opt-in statement must include: content that states they ll be getting on-going communications from you by opting-in. a clear statement explaining which business will have access to their personal data, plus information that shows how to contact that business with questions about their data. an unsubscribe or opt-out message that has no negative connotations (you can t say, you can opt-out but we ll charge you an admin fee). an affirmative action option: people must have to do something to confirm they are opting in (pre-ticked boxes are a no-no). Create the right systems, stay on track Look at the way your cookies work, get up to speed with any new changes you ll need to make to newsletters and regular communications. If in doubt, search for [ICO GDPR] online, and you ll find the guidelines publsihed by the Information Commissioner s Office. (Some are simple, some are havy going.)

9 The DPIA-what? In general, it s a bigger businesses thing, but it s worth listing the Data Protection Impact Assessment requirements. You ll need (specialist) advice if these tick boxes in your business: genetic data is used, such as biotechnology or bioinformatics. private data is collected from third parties and it s used to decide if that party can or can t deny to a service. data is used to assess a person s finances, or to prepare a user profile to assess risk. the data processing might carry a risk to physical health of the user personal financial (or otherwise sensitive) data is used for other purposes than those for which it was initially collected recording the knowledge, benefits, abilities or mental health of children is made, especially to monitor their progress (as in, school testing). data is used to communicate, disclose or make information available a large number of people. there s a need to assess and process private personal aspects, such as analyses based on: economic status, health, personal preferences, interests, reliability, behavior, location data or travel patterns (so, for example, do you do any analyses of whereabouts your prospective customers live or work?) profiling is used on a large scale in your business in the case of large-scale processing of children data, if it s for a reason other than that for which it was originally collected. there are projected common applications or entire environments for large sectors or occupational segments, or activities in which sensitive data is used (in essence, this applies to you if you track people s / employees activities). Okay, is that it? Pretty much. This is me. Any questions, shout. Merryn Henderson merryn@uniqueulogy.com UNIQUEULOGY Uniqueulogy Ltd. Registered in England Co No: Office: 21 Croxton Road, Fulmodeston, NR21 0NJ me: merryn@uniqueulogy.com Call us;