Now that Christmas is firmly behind us and the New Year has taken hold, many businesses are turning their attentions towards the dreaded GDPR changes. But did you know that GDPR is already in place? The May implementation date is simply the deadline by which businesses in the EU (or handling EU data) need to be compliant. So this week, we wanted to take a look at the new GDPR rules around personal data in businesses acquiring, using and storing that personal data, and how that might affect your business.
So What Are The New Rules?
GDPR brings in new rules for all 4 areas of personal data handling for businesses:
This is one of the major changes GDPR is bringing about, and one that is confusing people the most. Under the new regulations, businesses are now required to keep a thorough record of how and when an individual gives consent for them to store and use their personal data. And unlike previous Data protection laws, consent must now be active, meaning people have to opt in, rather than opt out. So no more pre-ticked boxes, and no more automatic adding to mailing lists. So from May, your business will need to keep a clear audit trail of consent for every individual you keep data on.
When personal data is obtained, it must be stored not only in a way that is secure, but that is also easy to find and delete if requested. For many businesses, deleting an individuals details could mean hours of going through different storage systems and deleting data from several places, which is not sustainable. This may mean a full overhaul of your data storage system to collate and audit what personal data you hold.
GDPR also further tightens the rules around what you are allowed to do with personal data once you have it. Essentially, your use of the data has to match the use the individual consented to (which will be found in your consent records). You can’t use the data for anything you have not been given express permission to use it for.
And finally, GDPR also dictates that personal data must be destroyed completely and securely once it’s use has come to an end. Not only that, but individuals now also have the right to withdraw that consent at any time, and the business must comply by permanently deleting all of their data (not just removing them from a mailing list) in a secure and immediate fashion.
At Tipac, we believe the transition process to GDPR compliance should be as painless as possible, but the sheer volume of data handling and management needed is proving to be a challenge too great for many businesses to deal with alone. That’s where our bespoke document management solutions can help. With detailed data lifecycle management, secure access and digital signature capabilities, it has never been easier to be GDPR compliant. For more information, contact one of our team today.