GDPR: We are counting down to the 25th May 2018 – the date new legislation concerning data protection comes into force. Many of our clients are asking us how it will affect their market strategy for the school market. Find out how you can still benefit from the data that makes an essential part of your client – relationship building and marketing strategy, without breeching regulations.
What is GDPR?GDPR stands for the: General Data Protection Regulation. It is a European Commission approved European privacy law that replaces the “Directive” that has been in place since 1995. Obviously, with the changes in technology over the last 23 years, new legislation is needed to protect people’s privacy. It impacts how organisations can obtain, store, use and delete personal data.
Do I only have to worry about my UK data?No, all EU states are covered by the law so if you operate within the EU, and/or offer services to people in the EU states, you have to comply.
What rights do individuals have?You have a legal duty to keep any data you hold secure – both customer and employee. GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- the right not to be subject to automated decision-making
What will happen if I do not comply?Although, ultimately you could be fined, the Information Commissioner’s Office (ICO) claim that there are assessments that will be conducted before fines are imposed. They will consider: ‘the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage.’ ICO (accessed www.ico.org.uk 23.4.18) A blog by Elizabeth Denham, Information Commissioner dated August 9th, 2017 claimed that “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.” (www.iconewsblog.org.uk accessed 23.4.18)
How quickly do we have to report a breach?You have to report a breach within 72 hours of its discovery. The UK supervisory body is the ICO. You can find their website at www.ico.org.uk
Do I need a Data Protection Officer?Although it is considered best practice to appoint a DPO in larger companies. The following rules apply: Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.