The GDPR – A guide for park owners
It may not be the first thing a park owner thinks about, but data protection laws here in the UK apply as much to holiday and home parks as they do to any other business sector. In May next year the General Data Protection Regulation (GDPR) will come into effect and is set to introduce some significant changes.
The impact of these changes and identifying what issues are relevant will be a challenge for many park owners. So what is changing and what should you be doing now to make sure that next year does not hold any nasty surprises?
Does the GDPR apply to me?
The answer is almost certainly yes. The obligations of GDPR fall on all organisations which process personal data regardless of their size or type. “Processing” includes using data in almost any way whatsoever (including receiving it, storing it, copying it and destroying it); personal data is any information from which a living individual can be identified. Those definitions are very broad and as a park owner or operator you are almost certainly subject to the GDPR and everything in it.
Brexit and GDPR
One thing to note at the outset is that there is almost no chance of the GDPR going away. Technically it is already part of UK law and both the government and the Information Commissioner have made it clear that it will come into force as planned, regardless of how Brexit negotiations go. Even if there was a complete change of direction, you would still have to comply with the GDPR if you sell goods or services to EU citizens.
The changes: rights of individuals
In a nutshell, old rights are being strengthened and new rights being introduced. There is a new “right to be forgotten” which gives individuals the right to require you to remove their data from your systems and the right to data portability, designed to allow individuals to obtain and reuse their personal data for their own purposes across different services. Subject Access Requests, which are nothing new, will have to be complied with in less time (one month as opposed to 40 days) and the right to impose a fee of up to £10 is being removed.
Even where individuals’ rights remain the same, the obligations placed on organisations in relation to them are set to become stricter. Keeping a record of the decisions you make regarding data protection is now a legal requirement, as is maintaining records of what data you have and why you have it. Much more information is now expected to be provided to individuals as well in the form of privacy policies.
It is important to note that these obligations apply regardless of the size of your operation.
What to do now?
- Make sure that the key decision makers are aware of data protection generally and that the law is changing in less than a year. Provide staff training to those who handle the data on a day to day basis and ensure they are up to speed with the obligations on the business and the way to use/store data that is obtained.
- Assess what information you have, where it came from and who you share it with. What you will need to do will depend on the data that you have.
- Document the result of your assessment.
- Check that you have privacy policies in place and if so that they set out the basis for processing data and what you do with it.
- Familiarise yourself with the rights of individuals and satisfy yourself that you can deal with a request for those rights to be acted on. If you are a large operator, you should have written procedures in place to do so and make sure that your employees recognise such a request if one comes in.
- Make sure you know what to do if there is a data breach (for example, if an individual’s data goes astray). Put a procedure in place to deal with reporting and investigating a breach.
- Record everything you do. Accountability, being able to show what you have done to comply with your obligations, will be vital.
- Don’t leave everything until the last minute do a data protection audit now!