Disclaimer: With the General Data Protection Regulation (GDPR) coming into effect Friday 25 May 2018, this article is for the sole purpose of information sharing. Pease refer to the Information Commissioner’s Office in the UK for specific advice, and/or the European Commission for detailed guidance and a copy of the GDPR regulation
A brief background on The General Data Protection Regulation (GDPR)
Prior to the GDPR, the EU Data Protection Directive was drawn up in 1995. In that same year Microsoft introduced Internet Explorer 1, and Amazon and eBay were founded. In 1995, the number of internet users globally was 16 million.
In the UK, the Data Protection Act 1998* is an Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. It follows the EU Data Protection Directive 1995 for protection, processing and movement of data. In 1998, the best connection users could hope for was 56Kbps dial up connection and Steve Jobs launched the original iMac.
Fast forward to 2017: As of June 2017, 51% of the world’s population has internet access with over 4 billion users. Mobile phones and social media are very much part of our daily lives. We now share an incredible amount of information about ourselves – from basic contact details through to credit card information, photos and browsing preferences. This data may enhance our online experience; however, there is the threat of being a victim to fraudulent payments and to identity theft.
Over the last 25 years technology has transformed our lives, so a review of the rules was needed. The General Data Protection Regulation came into effect on 25th May 2018, aimed at making Europe fit for the digital age.
Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable in full to all member states to protect EU citizens in a global economy. The GDPR is also applicable to any company, no matter where it is based, that processes the personal data of EU citizens.
The main objective is to give individuals full control over all their personal data, to know exactly what data is being collected about them and what is happening to the data they share online. With the GDPR consent is priority, giving consumers the control they need to feel safe sharing their data.
So as Virtual Assistants, here are 5 basic recommendations:
- Be clear on the GDPR Principles: There are six privacy principles for General Data Protection Regulation compliance.
- Be clear on the Rights of Data Subjects: The right to be informed, The right of access, The right to rectification, The right to erasure, The right to restrict processing, The right to data portability, The right to object and rights in relation to automated decision making and profiling: Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
- Controllers VS Processors: clearly described in the General Data Protection Regulation (GDPR) – Chapter 4
- Review your processes:
- This is an ongoing process: the type of personal data you hold, where you store the personal data, how you manage this data and keep records about how you handle the data
- Review your terms of business
- Have a secure storage system in place – use cloud systems for storage that are bank encrypted and safe
- Delete ALL personal records for previous clients that don’t have to be kept by law, or because of a contract you have between you, and have a system in place to regularly delete any data you no longer need to hold
- Do NOT keep personal data in your email accounts
- Regularly delete your downloads files
- Regularly empty your recycle bin
- Communicate: openly with your clients, and do not hold personal data that you do not need to complete tasks – minimise to only the necessary data. For example, passport copies or credit card details when booking travel need to be stored in a bank encrypted secure environment and deleted as soon as no longer needed
- Obtain Consent: if processing newsletter lists on behalf of clients, you need to be clear consent is already in place and use secure systems that have registered with Privacy Shield (if US based) and totally comply with the GDPR. When managing your own lists, your opt-in page and wording should be clear and compliant with the GDPR.
Best practice for VAs when it comes to data protection is ongoing process review and control awareness. We are all bound by confidentiality and integrity to deliver a remote professional service where there is no compromise on data protection, and the GDPR will shape that for us.