Does our business need to comply?
Regardless of where you are based and where you process personal data, if you process personal data of European or UK citizens, you are likely to be subject to European data protection laws, including the General Data Protection Regulation (GDPR). You may also be under a contractual obligation to comply with EU data protection laws in your agreements with other companies and vendors. This means that even non-EU businesses must comply with EU data protection law.
The Six Key Principles of European Data Protection Laws
European data protection laws require that you abide by six key principles. The principles require that personal data is:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purpose(s) for which it is processed;
- accurate and up to date;
- not kept in an identifiable form for longer than is necessary for the purpose(s) for which it is processed; and
- kept secure using appropriate technical and organisational measures.
The following guidelines provide some further guidance on, and good practice tips to help you comply with these principles.
Try to avoid collecting personal data. For example, don’t ask customers to login or register and provide their personal details before it is absolutely necessary, unless it is for a specific purpose. Only collect data that is relevant and proportionate to the purpose for which it is being collected.
Limit access to personal data to only those staff members required to have access for work-related purposes
If possible, store all personal data in the EEA or UK; if transferring data outside the EEA or UK, make sure that the data are adequately protected.
You have a legal obligation to keep personal information secure. Take all necessary technical and organisational security measures to prevent unauthorised access, loss, alteration, erasure or misuse of personal data (in both manual and electronic form). Have appropriate processes in place to manage electronic and manual records containing personal data.
Continually review and audit the accuracy and necessity of the data you collect. If you no longer need the data, ensure that it is disposed of securely. Encourage individuals whose data you collect to check and confirm the information you hold about them is correct.
Don’t keep data for longer than is necessary for the purpose for which it was collected.
Ideally appoint a data protection officer and train staff in ensuring data is held securely, and ensure staff are able to recognise requests from individuals to exercise their rights in respect of their personal data.
Ensure you have written contracts in place with subcontractors requiring them to adopt adequate security measures and guarantee fair processing of the personal data with which you provide them.
Do not disclose or transfer data collected from individuals under the age of 18 (or 13 in some countries) to third parties without the explicit and verifiable consent of the child’s parent or guardian.