The EU GDPR (General Data Protection Regulation) law is the most important change in data privacy regulation in 20 years. It will fundamentally change the way data is handled across all industries. There is a whole site dedicated to GDPR https://eugdpr.org/ below is a short summary to get you started.
What is GDPR?
- It’s an updated version of the Data Protection Act 1998
- EU Legislation
- Took effect in May 2018
- The main principle = ACCOUNTABILITY
The regulation gives the consumer individual rights over their data; they have the right to:
- To be informed of any data you hold
- To access their data
- Rectify their data
- Erase their data
- Restrict their data
- Object to having their data stored
This relates to any personal data, which is defined as anything that can personally identify an individual i.e. one or more factors specific to the online, physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Things to consider if you collect or handle any customer data:
- Consent – customers must clearly give their consent for you to gather, store and use their data. It must be as easy to give consent as it is to withdraw consent.
- Breach – if there is a data breach, the customer must be communicated to within 72 hours
- Right to access – customers have the right to understand how, where and why their data is being processed. A copy of the customers personal data must be provided on request electronically and free of charge.
- Right to be forgotten – customers have the right to request that their data is erased from your systems and from further use.
- Privacy by design – this refers to data holders implementing appropriate technical and organisational measures to meet the requirements of this Regulation and protect the rights of data subjects. You should only hold the data that is absolutely necessary and customers data should be processed by a limited number of employees.