The latest news from Meantime ITAll Meantime news
Meantime's quick guide to GDPR
Nobody can have avoided hearing about the EU law on General Data Protection Regulation (GDPR) which came into force on the 25th May 2018.Over the last 18 months this has meant a busy time for us and our clients. To prepare for this significant legislation our team began attending webinars and reading research material as far back as September 2016. Despite the United Kingdom being scheduled to leave the European Union in 2019, GDPR has been adopted within the Data Protection Act 2018 on 23 May 2018 (which contains equivalent regulations and protections). There is of course nothing stopping the UK government modifying this once we do officially leave, but for now the two remain in-step
GDPR seeks to regulate the processing of personally identifiable information (PII) of individuals (or ‘data subjects’ as they are more formally called). It is tricky, because it doesn’t just apply to businesses based in Europe, but to anyone doing business in the EU, regardless of their physical location. If you are found to be in breach of GDPR, you can face a fine of €20 million or up to 4% of the annual worldwide turnover, whichever is greater, hence why it has been taken so very seriously!
We won't try and explain it all here but the basics of GDPR are very simple to grasp. For example, you must now have a legitimate business reason to collect data about a subject. That means if you were running a travel system the passport number is vital but your hair colour or religious beliefs are not. Equally, data may only be used for the purpose for which it is being collected, otherwise you’ll need consent to use it. In the same example about the travel system, you would need the person's consent to share their data with the marketing team to allow them to be emailed about special offers, but you wouldn't need consent in order to email them about their booking.
You must also have a clear policy in place for how long you will keep someone’s data (most large businesses have catered for this change by upgrading the privacy policies – you’ll have seen a flurry of warnings on nearly every website you have visited), and the subject has a right to have their data deleted before that time period has elapsed, and they also have a right to see what data you hold about them.
There is also the more tricky question of what constitutes PII – it can be anything from a name, email address, or even IP address, down to residential address, car registration, or even a photograph.
Oh, and perhaps you're wondering why everyone has been asking for you to re-consent to have marketing emails sent to you when it’s been illegal to email you without consent since 2006. Simply put, ambiguous wording in GDPR! Firstly, the EU stipulated you must have consent: most people can demonstrate that. Secondly, you must be able to show where the data came from and that it was legitimately obtained: slightly harder, but should have been possible. And, finally, prove the date consent was obtained (slightly harder, but should have been possible), and prove the date consent was obtained. That last part is the one that had lawyers trembling, as collecting that data element was not always commonplace, hence the ‘belt-and-braces’ approach most have taken. It was illuminating to see all the places our email addresses had got to over the years.
Because everything we build is bespoke, you might not see exactly what you need. If that’s the case please get in touch. We'd be happy to discuss how we can help you to take the first step to cutting costs and growing beyond all expectations.