The General Data Protection Regulations (GDPR) will be coming into force in just 8 weeks, so it’s time to get your house in order. If you don’t know what GDPR is, here’s a quick overview, with some further reading and listening.
Please note this article does not constitute legal advice. You are advised to do your own research, and seek independent legal advice on specific issues.
What is GDPR
GDPR is the new EU-wide legislation on Data Protection. It will be enshrined in UK law too, so we will still have to abide by it after Brexit.
It ties up a lot of loose ends from previous Data Protection regulation and adds a lot of things in too.
If you are not compliant, you can be liable to massive (up to £20 million – yes you read that right, twenty million) fines. But if you can show that you are working towards compliance this will count in your favour.
How GDPR is likely to affect you:
This is NOT an exhaustive list, and does NOT represent legal advice. But I want to give you a snap shot of the sort of things that are covered.
If you are already following current law, there’s not that much change in data protection. But you must keep records on how and where you collect data, (so make sure you know exactly where your lists are kept and how they are kept). People must have given informed consent for you to collect it and use it (no more opt-out boxes, opt-in boxes only) and people must be able to not only opt out of mailing lists but be permanently deleted from them.
- This means that if you hold data – names, email addresses, postal addresses, phone numbers of customers or clients or potential customers, then you must have EXPRESS permission not only to use it, but what you can use it for. (For example, I cannot use the Design@HEART mailing list to send out information about my own design business because you didn’t sign up for that).
- You must check that you are only collecting data that you really need (if you never send anything by post do you need a postal address for example)
- You must know where all your data is held – whether it’s on a secure website, or in something like Mailchimp, or on your laptop, or in wads of paper under your bed. If you have a legitimate reason for still needing and using it, it must be secured (locked away, encrypted etc), if not, then it needs shredding.
- You must make sure that people who sign up to your mailing lists are told exactly how you will use their data, and they must have a straight forward opt-out option for leaving the mailing list. At which point you have to remove them from the list, not just stop sending them things.
- You must make sure that all the people on your mailing list have given permission to be on it. If you are not using software such as Mailchimp, but just have a spreadsheet of your own, you need to contact everyone and ask them whether they want to be on it. And remember to delete people who don’t.
One of the new features of GDPR is that it covers social media profiles and photographs. Please be sure to read up on this. You cannot assume that just because people contact you through Social Media that you can use their email address to send them information for instance.
Photographs that can be used as biometric information (facial recognition) will be considered personal data by GDPR. If you have photographs with people in them where their faces are recognisable then you would need to have their express permission to use them. They would need to have clear information about the context in which the photos would be used, they would need to have access to those photos, and the right to erase them (ie removed from websites, social media, printed materials etc). If photographs feature children under 18 years, full written parental consent must be given. This is not a comprehensive list. Please do your research.
I can highly recommend this podcast from Blogtacular
Theres a good summary of your obligations in this article from Sixth Sense PR
The definitive guide to GDPR from the official page of the Information Commissioner’s Office
An overview of best practice for photographers in this article from dotkumo
An article from Our Social Times about GDPR and Social Media
Once again, please do your own research, and do not take this as a comprehensive list of things you must do.