Does our business need to comply?
Regardless of where you process personal data, if you process personal data of European citizens, you are likely to be subject to European data protection laws. You may also be under a contractual obligation to comply with data protection laws in the EU in your agreements with other vendors. This means that even non-EU businesses must comply with EU law.
European data protection laws require that you abide by 8 key principles. The principles require that personal data is:
- fairly and lawfully processed;
- processed for limited, specific purposes and not in any manner incompatible with those purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with the data subject’s rights;
- kept secure using appropriate technical and organisational measures; and
- not transferred to countries outside the EEA without adequate protection.
The following guidelines provide some good practice tips to abiding with these principles. Doing so will not only provide steps towards compliance with the law, but help you to gain a competitive advantage and gain the trust of your customer.
- Purpose: Do you need to collect data about people? Try to avoid asking customers to login/ register and provide their personal details before it is absolutely necessary, unless it is for a specific purpose. Only collect data that is relevant and proportionate to the purpose for which it is being collected.
- Access: Limit access to data to only those staff members required to have access for work-related purposes
- Storage: If possible, store all data in the EU.
- Security: You have a legal obligation to keep customer information secure and where possible, encrypted. Take all necessary technical and practical security measures to prevent unauthorised access, loss, alteration, erasure or misuse of the data (in both manual and electronic form). Have appropriate processes in place to manage electronic and manual records containing data
- Review Continually review and audit the accuracy and necessity of the data you collect. If you no longer need the data, ensure that it is disposed of securely. Encourage individuals whose data you collect to check and confirm the information you hold about them is correct.
- Retention: Don’t keep data longer than is necessary for the purpose for which it was collected.
- Training: Ideally appoint a data protection officer and train staff in ensuring data is held securely, and ensure staff are able to recognise a subject access request.
- Consent: Give individuals the option to opt-out of your collecting their data. if you are going to use customer information to send them direct marketing material, you must obtain their express consent to do so. There are different rules which apply to each method of marketing. Provide individuals with the opportunity to opt-out of their personal data being disclosed to a third party or used for a purpose other than the purpose for which it was originally collected.
- Notification: if your business is likely to determine the nature of processing of personal data, it is what is called a ‘data controller’. Data controllers must register with the local data protection authority as a data controller and keep the notification updated.
- Transfers: Only transfer data to a third party if (a) it is an agent and subscribes to the safe-harbour principles or (b) it has entered into a written agreement that requires it to provide at least the same levels of data protection as the safe harbour framework requires.
- Third parties: Ensure you have written contracts in place with subcontractors requiring them to adopt adequate security measures and guarantee fair processing of the data you collect.
- Sensitive data: Don’t (a) disclose sensitive personal data to non-agent third parties or (b) use sensitive personal data for a purpose other than the purpose for which it was originally collected, unless the individual’s express consent has been received (opt-in).Take special care to ensure the security of sensitive personal data.
- Children: Do not disclose or transfer data collected from individuals under the age of 18 to third parties without the explicit and verifiable consent of the child’s parent or guardian.
- Subject access requests: You may be asked by an individual for a right of access to information you hold about them, which you will need to act upon promptly.