Everyone’s talking about GDPR
65
 General Data Protection Regulation
GDPR became enforceable in all EU member states including the UK from 25 May 2018. But, what is it and how can you be sure you’re compliant?
WHAT IS GDPR?
GDPR is the biggest shake up of data protection regulation in over twenty years. It unifies data protection law across the European Union and it has taken the EU four years to complete. It updates legislation with the new ways data is now used, especially with internet and cloud-based technology. Individuals will have far greater rights over their data; on how it is used, stored and updated.
GUIDANCE FOR MEMBERS
Sharing Personal Data: Sending personal data via email is a potential breach of GDPR, as it’s not always secure. Particularly sending Excel spreadsheets to suppliers and internally in your organisation. Try
to limit the detail and only send the  elds that are essential. Ideally, use names only or internally, just send the location of the  le. It is also recommended to password protect Excel Spreadsheets. Consider using data sharing apps, for example Dropbox.
Archiving Old Data: To comply with the Storage Limitation principles of GDPR, data should not be kept longer than is reasonably necessary. Review the data you have stored and archive where possible. Data should be regularly reviewed and updated.
Privacy Notices: To comply with many of the GDPR principles you need to review Privacy Notices you have on your websites and across all marketing, online registration and sales calls (both inbound and outbound).
Sensitive Data – Dietary & Health Information:
Dietary requirements and health information are deemed as sensitive data and must be treated carefully. When holding this information, ideally you should get consent from the individual to hold this data securely and tell them what you are going to do with it.
GDPR Documentation and Complaints Procedure:
You need to document your processes and procedures to demonstrate compliance of GDPR. This will be a full review of the data held, how long it is stored for and the purpose it is used for. This will be just in case you are audited by the ICO (Information Commissioner’s O ce), if there is a complaint or a customer requests a copy.
Staff Training: Train your sta  on GDPR and the measures your company is putting in place to ensure it is compliant. Include this in your induction process and also sta  reviews/refresher training. Think about appointing a GDPR o cer in the business who is responsible for compliance.
Passwords & Computer Security: GDPR states that systems should be designed with privacy in mind; here are some tips:
Reset passwords, set computers to time out when not in use
Password protect spreadsheets to make them more secure
Be aware of accessing emails on mobile phones Files containing personal customer data and
external hard drives stored in the o ce need
to be in a locked cupboard
Be aware of public Wi-Fi o -site, use VPN
Be careful of sensitive data at the reception area, use screen protectors if necessary
                 INTEGRITY & CONFIDENTIALITY
STORAGE LIMITATION
ACCOUNTABILITY
MINIMISATION LIMITATION
KEY PRINCIPLES
ACCURACY
          CONSENT
PRIVACY IN MIND
PERSONAL DATA RIGHTS
                                                KEY PRINCIPLES
T
TRANSPARENCY
                                                     PURPOSE
        Accountability: Be accountable for data; document the personal data you hold, where it came from, and who you share it with.
Transparency: You must be transparent using clear language.
Consent: This is everything under the new regulation. You must seek it, con rm it and document it. GDPR sets a high standard for consent, doing consent well should put individuals in control, build customer trust and enhance your reputation.
Privacy in mind: Provide clear, easily understood privacy notices. Privacy impact assessments will need to be carried out.
Personal Data Rights: Individuals have greatly expanded rights over their data: rights to be informed what you are doing with their data, how they can access a copy and, if requested, you must delete/update any data held.
Purpose Limitation: You need to explain why you are collecting the data and what you will be doing with it. You will need to justify and document the legal basis for processing all personal data.
Minimisation: Only hold the minimum amount of data.
Accuracy: Data must be accurate and where necessary kept up to date.
Storage Limitation: Data should not be kept longer than is necessary, always delete old data.
Integrity and Confidentiality: Treat data sensibly, ensuring appropriate security of the personal data.
                        For further details visit www.ico.org.uk or email The NACC at: info@thenacc.co.uk
   FEATURES & INSPIRATION