GDPR (the general data protection regulation) is an EU level law which is aimed at protecting people’s personal information* and stopping businesses abusing it. The Data Protection Act 2018 is the UK’s implementation of EU GDPR regulation.
*Personal information = any data which can be used to personally identify an individual.
The GDPR rationale
1 – Transparency: companies shouldn’t be able to buy and sell and generally share people’s personal information without their consent.
2 – Control and Consent: people should be able to have control over how their own personal information is used and stored.
3 – Security: if a company is going to collect personal information, it needs to make sure it is held securely.
4 – Uniformity: in a globalised, online world, it makes sense to have one uniform set of rules which transcend borders so that international businesses clearly know their requirements.
What do you need to do?
Most importantly, you should approach GDPR matters with the ‘Rationale’ above in mind as your starting point. The starting point should not be a very long list of hoops to jump through without any context or reasoning. When people do that, they invariably get things wrong, go overboard and end up doing much more work than they actually need to on this. Remember all those emails you received? A large number of them were simply not legally required.
Rather, the starting point should first be listing out the personal information of users/members/customers (whatever you choose to call them) and staff which you collect and hold, and then running through the following framework:
Transparency (giving information): you need to inform individuals that your company collects their personal information, and tell them about the specific information collected and why.
Key point to note: This can be covered by having a GDPR compliant privacy policy on your site. Create your GDPR compliant privacy policy here.
Control and consent: you need to obtain consent of individuals to send them marketing communications (e.g. via tick boxes on sign-ups)
Key point to note: When someone signs up to your business, they are making a conscious decision to engage with you. Therefore, you are entitled to presume that anyone that gives you their email address is interested in your business and your offering.
The rule generally is that product releases don’t require consent, but marketing communications do. So you need to make a call on which category your communication falls into, but remember you are entitled to use the above rationale rather than being overly cautious. To understand better how to get email compliant under GDPR, please read our article 'Emails and GDPR: quick guide on how to write your GDPR compliant emails'.
Finally, make sure that you’re giving your recipients the option of unsubscribing from your marketing emails.
Security: You must ensure that the data your company holds is safe and secure.
Key point to note: When you use cloud storage or well-known software providers to store data, then typically this will be enough. It is worth keeping a clear record though of which software providers you use for what information.
Control and consent (user request): You should be able to tell users what data your company holds on them, be able to delete their data, or stop using it to target them, if they ask your company to.
Key point to note: GDPR introduced a concept of a ‘data subject access request’, which means that each individual is the ‘subject’ of data held on them, and they can request access to that data or that you delete it. If you receive one, you have 1 month to respond, and you can also request an additional 2 months if struggling for time.
Once you are comfortable with the framework (points 1-4) above, then you should be in a very good position to be a GDPR compliant business. Simple!
Naturally, there are other questions which can come up, but hopefully this very short guide gives you a clear framework for what you actually need to do to be compliant. Remember that GDPR is more about stopping businesses abusing personal information – so if you feel you are being reasonable and diligent, the odds are you pass the abusiveness test.
This article was written by Legal Sidekick. Legal Sidekick is the legal platform for startups. We offer automated contracts and loads of startup legal resources and guides. For 'how to get GDPR compliant' queries, contact us at hey@legalsidekick@com.