As of May 25th 2018, a new law will be put in place that may impact the way you collect and process data from your clients. GDPR (General Data Protection Regulation) will be introduced and while it is similar to the 1998 Data Protection Act, it aims to give people better control of how their data is used – with big consequences for those businesses that do not comply. So, what is GDPR and how will it affect you?
Who Does GDPR Apply To?
The new GDPR will apply to ‘controllers’ and ‘processors’.
- A controller decides why personal data is being processed (for example, an organisation – like your business).
- A processor is the one who processes the data (a data processing company).
It will be the responsibility of the controller to make sure the processor is following the new regulations. Eg. if you hire an external IT company to do your processing for you, you will need to make sure they are meeting the regulations.
What’s Changed – The Facts:
From May 25th 2018, you will need a lawful reason to be collecting personal data from your clients. Personal data refers to information such as; name, address or ID numbers. It can also include data such as health and genetic data, racial or ethnic data, sexual preferences and political opinions. Although the requirement to have a lawful reason to process the personal data of your clients is not new, it puts more importance on businesses being accountable and transparent about collecting data. There are 6 lawful bases for processing personal data. You may need to look at your existing processing reasons and choose which basis best matches your reasons. You will be breaching the new GDPR if you do not identify the lawful basis for your data processing. You will need to inform your clients, staff and stakeholders of your lawful basis and make sure it is well documented by May 25th 2018 in order to be in compliance with the new law.
What Are The 6 Lawful Bases For Processing Personal Data?
There are 6 lawful bases for data processing in the GDPR. You will need to choose an appropriate basis for your business in order to process personal data from clients. It’s important that you choose the right one from the beginning, as it may be hard to change your reasoning once the law is in place.
The 6 lawful bases are as follows:
- Consent – you will need to have consent from your clients for you to process their personal data.
- Contract – the processing is necessary for a contract you have with a client.
- Legal obligation – the processing is necessary due to laws.
- Vital interests – processing of data is necessary in order to protect a life.
- Public task – processing of personal data is necessary in order to complete a task in the interest of the public.
- Legitimate interests – the processing of personal data is necessary for legitimate interests of your business or of a third party.
How Will This Impact Your Business?
As a business, you will often get telephone enquiries from people asking about your goods and services. If a client phones into your business and wants to book an appointment with you, you will need to take down their personal information in order to get them onto your system and confirm the booking. Under the new GDPR, you will now need to have evidence of clear consent that your clients are allowing you to process their personal data. The GDPR states that: ‘The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.’
What Can You do?
How do you make your clients aware of why you’re collecting their data and how do you get evidence of their consent? Do you send out emails or letters and wait for ages to get in every response? This is where Call Recording comes in handy. Call Recording is a feature of the Yo Telecom phone system that records all of your calls, both inbound and outbound. This means that if a client phones in – you can make them aware of your reasons for collecting and processing their personal data, as well as getting their consent to do so. You then have a record of your compliance with the new law and clear consent from your clients. This recording will be stored for up to 7 years and can be listened to as many times as you need. It can also be emailed in case you need to send proof of consent.
If you need some more advice about consent you can check out this guide by the ICO (Information Commissioner’s Office).
I hope this article has helped you to understand the new GDPR regulations and what you can do to be in compliance. If you have any further queries or want to read more on the subject, you can check out the official GDPR website. If you have any questions about our business phone systems with call recording you can speak to a member of our team by calling 02382 146115.
