An Introduction to GDPR
The General Data Protection Regulation, more commonly known as GDPR, will come into force this year. Is your business ready for the changes?
The GDPR is the biggest change to Data Privacy laws in the EU in recent years. It is designed to align the data protection and privacy laws of all EU member states, providing all EU citizens with the same rights.
The GDPR comes into effect in May 2018. The decision of the UK government to leave the EU in 2019 will not have any impact on the requirements of the UK to comply with GDPR. It has also been confirmed that the UK will look to retain GDPR after Brexit, and the Data Protection Bill is currently being reviewed.
So what exactly is GDPR?
GDPR is designed to enhance and align the privacy rights of EU citizens. The GDPR is similar in design to the Data Protection Act (1998), but with a few enhancements that are more notable.
As individuals, we are all aware that there are many companies who hold our personal information, such as financial institutions, utility companies and social media platforms. But do you know what information these companies hold about you? Do you know why they have your information? Do they still need to have your information?
Questions like these are difficult to answer. In addition, there may be companies out there that have our information, and we don’t even know about it.
GDPR has been designed to address these issues, so that all Data Subjects (an EU citizen whom a company holds personal information on) can better control their personal information that is held by companies.
GDPR provides EU citizens the right to:
- Information and transparency
- Access and rectification
- Restrict processing
- Data portability
For businesses who hold, store or process the personal information of Data Subjects, the GDPR sets out important rules they must abide by.
What does this mean to you as a business?
It is likely that your business holds personal information belonging to Data Subjects. As such, if you hold any personal information, you need to ensure your business is GDPR compliant.
You should by now be well on your way to ensuring GDPR compliance within your business, but if you are not, don’t panic, there is still time. A survey conducted by YouGov in April 2017 identified that only 38% of senior decision makers were aware of the new GDPR rules, and just 29% of companies surveyed had started preparing for GDPR. These numbers are likely to have risen since the survey was conducted, however it does provide an alarming statistic regarding readiness for GDPR.
Your business is responsible for the data that you hold – the sourcing of the data, the reason for collection, and any subsequent processing.
Every business obtains data in a variety of ways – whether through its own channels, or obtained from other organisations. Equally, what a business does with that data will be unique – whether it is solely used to track sales orders, or it is used for other purposes. As such, because of the wide array of processing that could potentially occur, you will not find one single piece of software that will make your business GDPR compliant. Data Protection requires a multi-disciplinary approach, involving people, process and technology. It will be all of these that ensure your compliance.
How is OrderWise preparing for the GDPR?
We have been working though our GDPR preparations since 2016, when the Regulations were confirmed.
As a trusted and responsible software provider, we want to reassure you that we are doing everything we can to become GDPR compliant.
Internally, our key achievements so far include:
- Registration with the Information Commissioner’s Office
- Appointment of a GDPR project task team
- Full Privacy Impact Assessments for all areas of the business – a risk assessment for our processes involving personal data
- Compilation of a Personal Information Register – a detailed account of the personal data we hold, and the reasons why
- Significant investment in file auditing software – enabling full tracking of any file within our business, with the facility to raise alerts in real time for unauthorised use
- Automated file deletion – files are securely deleted after a set period of time to prevent unnecessary storage
As a business, we are continuously working to ensure our GDPR compliance and being responsive to any late amendments or revisions to the Regulations.
We are also reviewing our external requirements regarding GDPR, and the actions we need to take.
The actions include:
- Update to our website privacy notices
- Update to our software licence agreements
- Making it easier for our customers to update marketing preferences
- Review of our own processes to ensure correct and lawful processing
- Employee awareness training
- Data breach reporting process
- Reviewing any system development that may be required to assist us, and our software users, in maintaining GDPR compliance
We have had many questions asked of us by our clients, who want to find out more information regarding GDPR and looking for assistance to gain compliance. For your benefit, we have included some of the most common questions below:
Is OrderWise software GDPR compliant?
No single piece of software is GDPR compliant, as it’s the data itself that affects the compliance element. For example, if personal information is obtained for the purposes of marketing, but this information is subsequently used for any other purpose, then it is likely not GDPR compliant. We do provide tools within the software to assist you with your GDPR compliance, but as a data controller, your business is responsible for how this data is used to ensure compliance.
Is it just my customer list I need to worry about for GDPR?
This again comes back to the actual data you hold. It is likely that your customer list contains personal information, however, there may be other areas in your OrderWise where you hold personal information.
Many businesses only look at the customer side of personal data, and forget that other personal information, such as their own employee data, is also covered by GDPR.
Can OrderWise tell me what I need to do to become GDPR compliant?
Whilst we will happily support you on your way to becoming GDPR compliant, we can’t audit your data or your processes, or provide guidance on what you need to do. We can assist you with advice on how to achieve a particular task, eg, how to edit a customer or contact within the software, but ultimately, we cannot tell you what to do to be GDPR compliant. Your business is responsible for the data you hold and ensuring your own compliance.
The Information Commissioner’s Office is able to provide guidance on becoming GDPR compliant, and have plenty of resources on their website to assist you in your GDPR compliance. Further information available here.
We are looking at any required system development which will assist in GDPR compliance, but ultimately, your business has the sole responsibility of becoming GDPR compliant.
Does OrderWise have a data breach reporting process?
Yes we do. In our 27 years of trading, we are proud to have not had a data breach. However, this does not provide cause for complacency. As per the GDPR guidelines, any data breach will be reported to the supervisory authority (Information Commissioner’s Office) within 72 hours of us becoming aware of it. We have invested heavily in extra software that performs a number of file auditing tasks for us, and provides real time alerts regarding data access and use.
What is OrderWise doing to ensure its employees are aware of GDPR?
On commencement of employment, all of our employees sign a confidentiality agreement. In addition, all of our employees complete a mandatory internal data security training course. We are currently developing a GDPR compliance and phishing & IT security training course, which again will be mandatory for all employees to complete. All department managers are GDPR stakeholders, meaning that they are regularly briefed on developments with GDPR and necessary actions to take.
Do I need to delete all the data from OrderWise?
In short, no. As a business, you will be aware of the legal requirement for you to hold information relating to your company accounts for a minimum period of 6 years. This includes, amongst other things, invoices. The invoices will likely include personal information, for example the name and address of a data subject.
What does OrderWise (processor) do with the data that belongs to clients (controller)?
There are a number of instances where you may be providing us with access to your data. It could be at the start of your OrderWise journey where you provide us with your business information, such as your customer list, or it could be when you have encountered something that you would like us to investigate and allow us to take a backup of your database.
As a business, we have no interest in the actual data that you provide us, other than for the purposes of building a database or for resolving a query. We don’t use your business data for any other purposes – for example, we would never take a copy of your customer data and start marketing to them. Your customer data is yours, and yours only.
We will shortly be updating the licence agreement for the software to outline our processing activities for the data.