Following several months of research and consultation, the British Association of Landscape Industries’ (BALI) technical officer, Owen Baker, confirms that the association will be hosting a GDPR Awareness Day for its members on Wednesday 2 May 2018 at BALI Landscape House. The event, which will open for registrations soon, will provide BALI members with an exclusive insight into GDPR with guest presenter Mike Holland of OlsenMetrix Marketing providing presentations, talks and discussions about the impending regulation.
BALI’s technical officer, Owen Baker, commented: “What will make this event truly unique is that members can choose whether to attend in person, or, register for a place on the live webinar feed on the same day. BALI has worked tirelessely to try and bring events of great importance, such as GDPR, to as many members as possible around the UK, and our new webinar platform will help deliver on this front. It is important that members that handle customer data take GDPR seriously and this event will assist them with preperations for the 25 May 2018.”
Regardless of your line of work or role within a company, awareness of the General Data Protection Regulation (GDPR) is essential. The following information was produced by Owen several months ago but remains relevant.
Does the General Data Protection Regulation concern computer users only?
No. The GDPR concerns the processing of any personal data by a company – whether it is on a computer or paper.
‘Personal data’ is a broad category
Under the regulation, personal data can include any of the following (this list is not exhaustive):
- Date of birth
- Email address
- Telephone number
- Information stored on an internet ‘Cookie’
- Health information
‘Personal data’ could include information on documents as innocuous as business cards from third parties, details captured on business enquiry forms, photographs of third parties and even colleague absence forms.
‘Processing’ personal data can take many forms:
- Use disclosure by transmission
- Dissemination or otherwise making available
- Alignment or combination
This use of personal data must be considered carefully. From 25 May 2018, there must be a legal basis for processing personal data. This ‘legal basis’ for processing personal data can be given by an individual, to a business, in many ways. The most obvious are below:
- Where explicit consent has been given by an individual
- The use of the data is essential for a contract to be performed (remember: a ‘contract’ can be informal, and may even be given orally)
- Processing the data is necessary for the purposes of the legitimate interests of a business
If, after 25 May 2018, a company is in possession of data, for which it cannot provide a legal basis to process, the data must be deleted. A good example of where the GDPR data can be used constructively, is unsolicited mail such as SPAM. Under the rules of GDPR, SPAM, and the unsolicited sharing of data, will be illegal in the EU.
Security of personal data is essential
Under the new regulation, this wide range of personal data must be respected and secured by the person who has processed it. Remember, this personal data may currently be stored in the following locations:
- Computer servers and backed-up resources
- Memory sticks
- Filing cabinets
- Desk drawers
- Personal mobile phones and personal laptops
- Off-site storage
- Cloud storage facilities
- Personal mobile phones and laptops
Owners of personal data have greater rights under GDPR
Individuals have the right to:
- Access their personal data (for example, anyone from a member of the public, to a former employee, could ask a business what personal data is held)
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
The data processor is responsible for storing personal data in a secure, organised manner, and treating it as directed by owners.
What action do BALI members who process personal data need to take right now?
- Identify what data your business ‘processes’ (refer to the definition of ‘processing’, above) and start to think if any of it could be better organised.
- Think about how your business gathers personal data (refer to the definition of ‘personal data’, above, to help you identify the types of data your company holds) and how you track where it is stored.
- Think about how you gain consent from individuals for specific data, how long you keep it for once permission has been gained, and how you delete or dispose of it.
- Think about where your data is stored, and how secure it is.
Additional information sources:
Information Commissioners Office (ICO) website
The EU General Data Protection website