GDPR - what you need to know

General Data Protection Regulations (GDPR) regulations become law on 25th May 2018.

The law is applicable EU-wide including the UK post-Brexit and involves ANY company that collects/processes/stores or uses the personal data of EU/UK individuals and includes direct mail, print and third party suppliers who may have, or require, access to the data you hold.
 
This includes timeshare resorts – and you cannot hide behind your signed contracts and constitutions.
 
Within the legal obligations, it is important that businesses understand the difference between a Data Controller, a Data Processer and a Data Protection Officer.

• A Data Controller (DC) – Is the business data owner that defines the purpose and means for which the data is collected and processed.
  
• A Data Processor (DP) – Is the person or department who processes the data on behalf of the Data Controller.
• The Data Protection Officer (DPO) – is a defined person (or persons) with responsibility for monitoring compliance, employee inclusion and company obligations to maintain records of data processing activities and to map how data is collected, why, how it is processed and stored and who has authorised access.

The DPO should trace the flow of data within the business and external third-party suppliers to ensure compliant systems and processes.

The law is specifically changing focus to prioritise the individual’s rights including the right to be informed (of any data breach) and the right to be forgotten (erasure of data) which may be subject to the “legitimate interest” exemption e.g. clients who have financial commitment etc.
 
Data security and privacy must be by design and a documented process must be in place. There is a 72-hour timeline requirement for data breach notifications and responses to individual subject data requests.
 
Remember that individual employee laptops, or any data removed from the office premises, must have encryption of data to be compliant.
 
In addition, there is the option to streamline existing data – to actively erase data when no longer required – which will deliver a more lean, focused and targeted data contact opportunity.
 
Third party suppliers may need to have a security level or data processing agreement.
 
Finally, as part of the process your resort needs to consider employee GDPR options and employee awareness training so that they understand what is required of them going forward when handling personal data.
 
In short – a business needs to operate a higher standard of data security.
 
If you require any information on making your practice GDPR compliant, contact EVC Marketing now.