Are you transparent enough about your data collection?

Do you collect information which could be used to have an unfair adverse effect on an individual if it was shared?

With the development of digital platforms and devices, individuals may not even be aware information about them is being collected. For example their location, records of purchases or online activity which infers health status or sexual orientation. It is important you explain clearly in your privacy notice that you will be using the information in a way they would expect.

GDPR: The Right to be Informed

From the start of your relationship with new customers or businesses, you need to be clear about what information you are collecting about them and how you will use it. This is generally established through a privacy notice which explains the processing of personal data.

Most businesses already have a privacy notice in place; you will need to review the existing wording to ensure it will be compliant with the new regulation. Under the GDPR there are some additional things you will have to tell people and the need for transparency is an emphasis in the GDPR.

Your privacy notice should be: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge. When you collect personal data you currently have to give people certain information, such as who you are and how you intend to use their information. Moving forward you will also need to explain your lawful basis for processing the data, your data retention periods and that an individual has a right to complain to the ICO if they think there is a problem with the way you are handling their data.

When the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 it will give eight rights to individuals about how information about them is gathered, stored and used. To cover all these elements the ICO suggest you consider the following issues when writing a privacy notice:

  1. What information is being collected?
  2. Who is collecting it?
  3. How is it collected?
  4. Why is it being collected?
  5. How will it be used?
  6. Who will it be shared with?
  7. What will be the effect of this on the individuals concerned?
  8. Is the intended use likely to cause individuals to object or complain?

Does your company meet the GDPR Fundamentals Standard?

There is no shortage of advice on GDPR, but if want to take a more practical approach, Kate Armstrong, nesma Tutor and Blue Shadow Growth Agency’s Managing Director is a registered GDPR Fundamentals Practitioner and recognised as a specialist in the new GDPR Fundamental standard.  

If you would like some practical help with GDPR, this 3-part programme of activity is ideal for you. The programme will help you understand your organisation’s legal duties, put a spotlight on any changes you need to make and ultimately ensure you reach the GDPR Fundamentals standard.

The GDPR Fundamentals standard* has been devised to assist organisations in their efforts to comply with the with the new data protection regulations. It offers businesses the opportunity to obtain external recognition of their GDPR management system and has been written using the principles of General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

There are three elements; the training, the audit and the certificate.

The Training will give you the knowledge to assess organisation relative to the GDPR requirements using a practical framework that will assist you to understand what it means to be compliant. Businesses will receive a GDPR Fundamentals attendance certificate from the accrediting body on completion of the course of the 1-day training.

The Audit delivered in the form of a 2-hour survey carried out by an accredited GDPR Fundamentals Practitioner will help you to assess your systems and policies against the demands of the GDPR Fundamentals standard.

The GDPR Fundamentals Certificate of Compliance is a recognised management standard for data protection compliance which immediately identifies that your organisation has been audited by an independent third party and that you can demonstrate compliance.

Find out more about the GDPR Fundamentals programme –

19 March – Carlisle

28 March – Newcastle

20 April – Newcastle

27 April – Carlisle

The 1-day training costs start at £395 + VAT per person.

Get more information about this course and the full programme by emailing hello@nesma.co.uk or calling Kate Armstrong on 07930 473 971.

Disclaimer

This information is aimed at giving you a summary of current and emerging data protection and privacy regulations and guidance. It is not intended as legal advice and is not represented as such by the author or publisher. It is advised that legal counsel is sought to ensure compliance with legislation.

The Information Commissioner’s Office (ICO) is the UK‘s representative in Europe and will be the regulator in the UK.  Many businesses are unsure how it will impact their business or what changes they need to make. The key message is don’t panic.
*QG Business Solutions is the Accreditation Body based in the UK.