Get ready for the GDPR (General Data Protection Regulation)
On May 25th 2018 there are some big changes to data protection law coming into force, in the form of the General Data Protection Regulation (GDPR). This will affect all organisations who handle personal data of any sort and applies to all personal data that you collect and store – whether online or on paper.
What are the key changes?
You must generally be able to demonstrate that anyone whose data you hold and process has given their consent. You have to tell them what you will be using their data for and how long you intend to keep it. The consent must be unambiguous – which means that consent requests should be separate from other terms and conditions.
It’s already possible to use custom fields in Insight to gather the consent that you need, but we will be introducing some new tools to help streamline the process and to help you ensure that consent has been obtained and is up to date.
These new features will enable a page where you can add 'consent questions'. It will be up to individual organisations to decide what they want to ask consent for. You will be able to set up your own consent 'questions' and your own 'answers'. You can ask as many questions as you like to get the consent you require.
These questions will be asked when people register on the site and they will be available in 'My Area'. There will be a link in the footer of all emails with a unique ID (just like the current 'unsubscribe' link), which will enable people without a login to go to this page to give or deny consent as they deem appropriate.
There will also be a 'Consent' tab on the user record where admins can record any consent (with comments) that has been given offline.
Right of access
People whose data you hold are entitled to ask to see the data. It’s already possible for your members to log in and view their profile details. We are currently putting the finishing touches to some major improvements to the ‘My Area’ part of the system, and we are also planning to make it easier for administrators to export individuals’ data to send in response to any access requests.
Right to be forgotten
Consent can be withdrawn at any time for processing data for a specific purpose, or indeed someone can ask to be removed from your records altogether providing you are not legally required to keep the data (for example tax records).
We will be making some improvements to make it easier for you to remove all data for a particular individual and to find data that is old or outdated.
Accuracy of data
You are expected to make reasonable efforts to keep data up to date, or to remove it. Individuals can ask you at any time to correct their data; again ‘My Area’ makes it easy for members to do this themselves.
You as an organisation are liable for your compliance with the GDPR and you must only appoint third parties to handle data on your behalf who can provide sufficient guarantees that the requirements of the GDPR can be met.
We will be updating all of our contracts to reflect our obligations under the GDPR and our responsibilities towards you.
What about Brexit?
Although the GDPR is a European regulation, it will be subsumed into UK law when the UK leaves the European Union, so it will continue to apply for the foreseeable future!
Where can I get more information?
Can I contribute?
If you have read and understand the GDPR and you would like to make suggestions on how we can improve Insight to help you meet your obligations then we would love to hear from you. Please contact us on our usual email address - email@example.com