We get asked a lot about how to become compliant with GDPR so when we spoke to the ICO, this is what they said.
On 25th May 2018 the EU will be changing the data protection laws which will be called GDPR (General Data Protection Regulations). It is the responsibility of individuals to ensure they are GDPR complaint and it goes beyond how data is collected by a website.
If you have a basic enquiry form on your website that contains the following fields (for example):
- Message [ free text area]
GDPR Compliance for Small Businesses. Step 1
You would first need to work out 'how' you process data from a potential customer when you receive it. How you receive that data can vary and could be via telephone calls, a website enquiry form (see above) or written survey, etc. What you do with that data and further information you obtain from that customer (once they are a customer) is also part of the GDPR and is vital to the compliance. Every company is different in the way it handles customer data. The ICO requests that you MUST obtain a lawful basis to process data before you process any data. So you must choose which 'lawful basis for processing data' pertains to you and your business. There are 8 categories of lawful basis for processing data from which to choose that are supplied by the ICO as follows:
- Consent - see lawful basis for processing consent - ICO
- Contract - see lawful basis for processing contract - ICO
- Legal obligation - see lawful basis for processing legal obligation - ICO
- Vital interests - see lawful basis for processing vital interests - ICO
- Public task - see lawful basis for processing public task - ICO
- Legitimate interests - see lawful basis for processing legitimate interests - ICO
- Special category data (i.e. medical) - see lawful basis for processing special category data - ICO
- Criminal offence data - see lawful basis for processing criminal offence data - ICO
If you are unsure about which category you need to study, read them all and if you're still unsure call the ICO during office hours on 0303 123 1113. If, for instance, you are a therapist you should read the lawful basis for processing special category data.
GDPR Compliance for Small Businesses. Step 2
You also need to ensure you have clear written policies on how you look after your customers data in line with their right to be informed. Again you must contact the ICO to ensure your business is compliant with GDPR - it's your sole responsibility.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The ICO website explains these rights for you. See GDPR Individual rights explained by the ICO