You may have heard a lot about GDPR earlier this year with many brands, companies and business - small and large - making changes to the way they store data and becoming more transparent about this to their customers. It was a hot topic in May 2018 but even though it’s hitting less headlines, it is in full effect and you need to be aware of how GDPR affects you and the data you store for your business.
The General Data Protection Regulation (GDPR) came into effect on May 25th 2018. All companies, brands and businesses around the world were affected if they hold or process the data of any person in the EU, regardless if they’re based in the EU or not.
So… what’s GDPR all about?
All organisations who process personal data are affected by GDPR. This new legislation is designed to give citizens more control over their personal data and how it’s processed.
Personal data is anything that can directly or indirectly identify an individual, including name, photo, email, bank details, IP addresses, cookies and location data. Non-compliance with GDPR can result in high financial penalties so it’s very important that you abide by the rules in order to protect the data of your customers according to this new legislation.
The “Privacy by design” requirement: You’ll need to design compliant policies, procedures and systems that can protect the data to GDPR standard.
The “Privacy by default” principle: only personal data that is necessary for a specific purpose is to be processed.
In order to process the data of your customers, you need to ensure that you have consent, performance of a contract, protection of vital interests, legal obligation and legitimate interest balanced against the rights of your customers.
Customer consent is incredibly important when it comes to processing the personal data of your customers. You must obtain this consent and it must be “freely given, specific, informed and unambiguous”.
Controller Vs Processor:
- There are different requirements depending on whether you’re a ‘Controller’ or ‘Processor’. A controller determines the purposes and means of processing personal data. A processor processes the personal data as instructed by the Controller.
- Controllers have primary responsibility for data protection, but processors will also have responsibilities so it’s important to know which you fall under and what you must be aware of in your role.
Personal Data Breaches:
If a data breach occurs, the relevant supervisory regulator must be notified within 72 hours of the breach being identified.
The rights of your customers:
With GDPR in force, those in the EU now have new important rights that they can action. These include the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability.
What GDPR means to you as part of the MoveGB network:
The full terms & conditions that cover GDPR related management can be found here, but see below of a brief overview of your duties and responsibilities with data protection.
Processing and Shared Personal Data of Customers:
Both the Partner and MoveGroup shall be Data Controllers in respect of any personal Data shared between the parties. Both parties shall ensure that any Shared Personal Data is collected and processed in accordance with the Data Protection Legislation.
You, the Partner, can only process personal data for the following purposes:
- Providing products to MoveGroup customers
- Complying with your obligations under the Data Protection Legislation and
- Complying with the Partner’s legal obligations.
Both parties agree that the details of processing are an accurate statement of each parties responsibilities as a joint Data Controller of the Shared Personal Data for the provision of the products to MoveGroup customers.
Each party shall be separately responsible for compliance with its obligations under GDPR - in its capacity as Data Controller, in respect of:
- The security of the Personal Data when it is under its control.
- Any transfers of the Personal data outside the EEA for which that party is responsible.
- Any requests from individuals in respect of their rights under the Data Protection Legislation exercised in respect of the Personal Data in that party’s possession and/or control.
The disclosing party shall ensure that it’s entitled to share the Shared Personal Data with the receiving party for the purposes of providing the Products, and the disclosing party has complied with its responsibilities under the Data Protection Legislation to enable the receiving party to process the Shared Personal data for the purpose of providing the Products.
Neither party shall, by its acts or omissions, cause the other party to breach its respective obligations under the Data Protection Legislation.
Purpose and Duration:
The Shared Personal Data is processed by the Partner for the provision of Products to MoveGroup Customers. Shared Personal Data shall be processed by the Partner for the duration of the agreement, and may be retained by the Partner for a period of 6 months after the agreement has been terminated.