GDP...WHAT?
Many of you may (or may not) have heard of the new GDPR EU
data protection legislation coming in to play by the end of May 2018. Here at
Omni we have been reading so many blogs, articles and webinars on the topic, and
to be honest, at first it’s all a bit daunting! Fear not though, we feel
confident that we have got to grips with some of the key points and so wanted
to share with you what we have learnt and areas we feel lots of our past and
present students may need to consider for their own ventures and businesses.
What is GDPR?
GDPR stands for the General Data Protection Regulation and it will replace the current 1995 Data Protection Directive when it takes effect on the 25th of May 2018. The GDPR is an attempt to strengthen and harmonize EU data protection law and enhance the individual’s rights giving them more say on what companies do with their personal data.
GDPR stands for the General Data Protection Regulation and it will replace the current 1995 Data Protection Directive when it takes effect on the 25th of May 2018. The GDPR is an attempt to strengthen and harmonize EU data protection law and enhance the individual’s rights giving them more say on what companies do with their personal data.
Does this apply to me
and my business?
Most likely yes! If you run any business within the EU (more on Brexit in a bit) with even only one client, the GDPR rules will apply.
Most likely yes! If you run any business within the EU (more on Brexit in a bit) with even only one client, the GDPR rules will apply.
But with Brexit we’ll
be leaving the EU!?
We hear your frustrations! Because GDPR will come into effect before Brexit, we will have to comply when it comes into effect on the 25th of May 2018. As this is an EU-wide piece of legislation, it not only applies to the data of clients in your own country but internationally also.
We hear your frustrations! Because GDPR will come into effect before Brexit, we will have to comply when it comes into effect on the 25th of May 2018. As this is an EU-wide piece of legislation, it not only applies to the data of clients in your own country but internationally also.
Therefore the reality is if Britain wants to continue to
trade with the EU post-Brexit, the UK will have to implement a replica piece of
legislation to the same high level as the GDPR. If you act on GDPR now, that
will likely cover you for any new legislation post-Brexit.
Do I really need to
bother?
The fines for not complying are eye wateringly extortionate, so this really does need to be taken seriously!
The fines for not complying are eye wateringly extortionate, so this really does need to be taken seriously!
What is classed as
personal data?
Personal data counts as any information that can be used, directly or indirectly, to identify someone, such as their first name, last name, email address, bank details, medical information, photo and even their IP address.
Personal data counts as any information that can be used, directly or indirectly, to identify someone, such as their first name, last name, email address, bank details, medical information, photo and even their IP address.
In our industry we acquire a lot of personal data on our
clients, not only their names and addresses but also information on allergy
testing and any relevant medical notes. As you will all know this is important,
not only to ensure you are delivering safe treatments but it is also an
insurance requirement for you to hold
this information for seven years.
Ok, so what do I need
to do to become GDPR complaint?
Right, make sure you’re sitting comfortably; this may take some time to absorb!
We know at times it may seem like a long, tedious task, but if you’ve already been complying with the UK Data Protection Act 1998 (Re-read your EKU’s to refresh!) many aspects of GDPR remain the same. What is changing after May 25th is the high focus on accountability, transparency in how information issued and ensuring it's only used with understanding and respect at all times.
Right, make sure you’re sitting comfortably; this may take some time to absorb!
We know at times it may seem like a long, tedious task, but if you’ve already been complying with the UK Data Protection Act 1998 (Re-read your EKU’s to refresh!) many aspects of GDPR remain the same. What is changing after May 25th is the high focus on accountability, transparency in how information issued and ensuring it's only used with understanding and respect at all times.
Lets Break it down...
Controller vs Processor
The GDPR refers to two main parties responsible, the ‘controller’ and the ‘processor’.
Controller - Assuming
you are either a salon or a self employed freelance therapist, you will be the
controller as you are the one who collects your clients' data and decides how
it will be used.
Processor – This
can be anything from another person, legal person, organization, public
authority or any other body who processes your clients' data under the
controller’s instruction. Examples would
be booking systems or outsourced marketing companies. You as the controller
would have to ensure any processor you use is GDPR compliant also.
Legal Basis
You must prove that you have a legal basis for collecting data, you cannot simply collect it for ‘marketing’ or another generic purpose. You will need to explain exactly what information you are collecting and give a legal reason for taking it. This can be as simple as explaining reasons for asking and recording any relevant medical history/allergies during consultation.
You must prove that you have a legal basis for collecting data, you cannot simply collect it for ‘marketing’ or another generic purpose. You will need to explain exactly what information you are collecting and give a legal reason for taking it. This can be as simple as explaining reasons for asking and recording any relevant medical history/allergies during consultation.
Have a data Audit
Be proactive! Use this as an opportunity to spring clean your admin and carry out an Audit of any data you hold. Document all data you have including the following points:
Be proactive! Use this as an opportunity to spring clean your admin and carry out an Audit of any data you hold. Document all data you have including the following points:
·
Why do
you have it?
·
How did
you obtain it?
·
Do you
still need it/how long do you intend or need to keep it?
·
Does
anyone else have access to it?
·
How do
you store it?
Along
with your data audit, it would be advisable to write up a data protection
policy and a procedures manual.
Clear up your consent forms
In the past it was acceptable to have a generic ‘I agree to receive updates and promotions from.....’ tick box at the bottom of all consultation forms, this is where the biggest change will be. With GDPR you will now be required to be more specific stating exactly what the data will be used for and why. Pre-ticked boxes are now also a big no no, your client HAS to opt in.
In the past it was acceptable to have a generic ‘I agree to receive updates and promotions from.....’ tick box at the bottom of all consultation forms, this is where the biggest change will be. With GDPR you will now be required to be more specific stating exactly what the data will be used for and why. Pre-ticked boxes are now also a big no no, your client HAS to opt in.
Rights, rights, rights...
Under GDPR legislation any data always belongs to the person the data relates to. As a result, said person has many rights over that data that you as a controller will have to comply with.
Under GDPR legislation any data always belongs to the person the data relates to. As a result, said person has many rights over that data that you as a controller will have to comply with.
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
-- The right to portability
- The right of access
- The right to rectification
- The right to be forgotten
-- The right to portability
Under the GDPR legislation clients can request access to the
data you hold on them at any time and you must produce this free of charge
within 30 days. This is referred to as a SAR ‘Subject Access Request'.
So
there we have it, GDPR key points in a nutshell! We know it may all seem like a
huge task to implement, however if you look at each step and break it into
stages, it’s not so bad!
Please
remember this is purely a blog about our experiences and knowledge on GDPR and
the key areas we believe will affect our industry, we are by no means experts
on the topic and this is not an explicit guide. The legislation will differ
massively depending on the size of your business, the industry you work in and
the way you run your business.
We
would advise you visit the ICO (Information Commissioner’s Office) website for
full guidance on how to prepare for the GDPR by clicking here.
Whilst
on the subject, if you would like to subscribe to hear all the updates from
Omni including our newsletter, blog posts, Academy updates and news and promotions
we will need you to opt-in, you can sign up by clicking here.
Comments
Post a Comment