The GDPR comes in to effect on 25th May 2018.
Are you a Data Controller or a Data Processor?
You need to establish if you are handling and controlling personal data (a Data Controller) or do you process personal data (a Data Processor).
Consent when collecting data
GDPR now has a stricter definition of consent:
“…any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmation action, signifies agreement…”
Consent must be:
- Clearly distinguishable.
- As easy to withdraw as to give.
- Shown in an audit (e.g. date/time of consent).
In the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO. They must also notify customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.
Special Category Data
GDPR refers to special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership. IP addresses are also now considered to be ‘personal data’.
- Inform people what you are going to do with their data.
- Make sure you limit the purpose of the data to what you have informed people you are doing with it.