As I’ve mentioned before (and you are probably tired of hearing), on 25th May 2018 the General Data Protection Regulation (GDPR) comes into effect across Europe regulating how
businesses must handle personal data. However, research in March found that fewer than half of European small and medium businesses have taken steps to get ready for the new regulations.
So what does this mean for your business?
Here are seven everyday things you may be unable to do around the office from 25th May onwards when the Regulation comes into force.
1.
Celebrating a colleague’s birthday
An individual’s date of birth is their own personal data. Unless it is shared in a purely personal or household activity, it should not be shared without express consent by the individual. So it is worth checking that you have everyone’s permission to host a shared
calendar of birthdays in the office.
2. Sending office Christmas cards
If you were planning to
send Christmas cards to your clients this year, think again. If that were to include someone’s home address then that is personal data so once again not necessarily permissible under GDPR, unless you have consent of the individuals in advance. If you do not have express consent to contact each customer, a different legitimate basis must be established for each business communication you send.
3. Sharing a colleague’s baby photos
Think twice before sharing baby photos with international colleagues. All those adorable new arrivals may have to remain unseen by colleagues far away.
Personal data can only be transferred internationally if the country has been designated by the EU as providing an adequate level of data protection or by complying with an approved certification mechanism such as the EU-US Privacy Shield or by obtaining the consent of the individual concerned.
4. Forwarding a candidate’s CV for a second opinion
Not sure about a potential candidate for a role in your organisation? Tough luck – once again that will be personal data and cannot be shared with another colleague unless the sharing of their CV is with someone relevant to
that role.
5. Ticking the box to join a mailing list
Does your website registration form have
a pre-ticked box for clients to receive marketing information from you? You might want to rethink that come 25 May. Under GDPR, silence, pre-ticked boxes and inactivity will no longer suffice as consent. You may also want to read through your privacy terms online, as a request by a business for consent to use personal information must be intelligible and in clear, plain language.
6. Talking politics in the office
Political opinions are part of a special category of personal information – sensitive personal data – and organisations cannot record or process data
about this type of information unless it is absolutely necessary or they have obtained the explicit consent of the individual concerned. So, that email chain about the forthcoming elections starts to look very dangerous, and should anyone forward on that chain containing people’s political opinions, that may fall foul of GDPR.
7. Sharing a colleague’s medical information
Health information is also part of that special category of personal information. So, if you have to call in sick one morning because of a medical condition, then only the fact that you are unwell
should be conveyed to others who need to know your whereabouts, rather than specifying the medical condition.
I guess we’ll just have to do more work instead!
Noel Guilford