Okay, I admit it. That’s a click-bait headline if ever I wrote one. But it does have some relevance to the topic of today’s blog post.
A Case of Identity
As regular readers know, I am spending 2018 re-reading the Sherlock Holmes stories and illustrating them. Really, this is just a subject upon which I can hang various topics that I would like to talk about.
I’m an illustrator, but being in business is about a great deal more than just the “products” you turn out. And today we’re talking about something that will impact businesses big and small, and will affect all of us in one way or another.
Let’s talk GDPR…
The GDPR, or General Data Protection Regulation, is a new EU-wide set of rules that come into effect later this year.
It will replace our current Data Protection Act and it places more obligations on any business or organisation that handles personal data.
Businesses such as mine.
When does the GDPR come into effect?
The GDPR comes into effect on 25 May 2018.
If you are a business, of any size, you need to have your ducks lined up before this date, or you could face fines for non-compliance.
(Those are metaphorical ducks – the new regulations do not require you to have ducks, in any formation.)
What was the thing about your stepfather?
As we saw last time on the blog, I have reached the Sherlock Holmes short stories.
Week 5 saw me illustrate A Case of Identity, a mystery that turned upon the unique properties of a particular typewriter.
This typewriter was operated by an unscrupulous gentleman by the name of Mr James Windibank, the stepfather to this week’s wronged woman, Miss Mary Sutherland.
Miss Sutherland possessed a not-inconsiderable sum of money, left to her by an uncle in New Zealand. While rich in kiwi stocks, she was poor in suitors, until a chance encounter at the gasfitters’ ball (yes, really) brought her into contact with a Mr Hosmer Angel. Honestly, this is what happens. I’m not making it up.
Their hidden love affair, kept secret from the disapproving stepfather, soon led to an engagement. But then – drum-roll please – at the door to the church Hosmer Angel vanishes, never to be seen again.
What has become of him? That is the task which is laid before our sleuthing pair.
Three pages later, and Sherlock Holmes has done his work. James Windibank – the stepfather – is summoned to 221B Baker Street and unmasked.
For it was he all along!
With his bushy whiskers, “hesitating, whispering… speech,” and tinted glasses, Hosmer Angel was in fact the duplicitous stepfather in disguise. Having secured a promise of life-long fidelity from Miss Sutherland to the missing Hosmer Angel, Mr Windibank had secured her fortune within the family home, safe from any other – real – suitors who may come along.
A “cold-blooded scoundrel” indeed.
What this shows us is that, even as far back as 1891, criminals were attempting to deceive and disguise, trying to separate people from their money by devious means.
It will be of no surprise to anyone that this is not only more prevalent today, but it is being done by far more sophisticated means.
In this internet age, our personal details are a lot less personal and a lot more public. Whether it is buying something online, signing up for a mailing list, or registering for a new app, you leave a lot of yourself out there in the world.
It is not just online. When you take out gym membership, sign up for a bank account, or take out a new insurance policy, you are giving some of your information away.
This is okay.
Businesses need this information to do the things they do. The bank needs to know who you are and where you live. This allows them to serve you and your account properly.
But we expect the bank – or any other business – to treat your information carefully and to keep it safe.
This is the crux of the GDPR. Making sure that all businesses and organisations protect the information they know about you.
It’s more than that
There are some shiny new bits to the GDPR too.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
(Quotes from the Information Commissioner’s Office Guide to the GDPR)
If possible, your personal information should be “portable” between companies. If you’re changing email providers, for example, your data (such as your email contacts) should be able to be picked up and moved from Email Provider A to Email Provider B. If possible. There are going to be legitimate IT restrictions that mean this will not always work.
And when you stop dealing with a company and they are no longer required to hold your information, you will now be able to request that they delete you from their systems.
This is by no means everything in the GDPR, but you may find that these are some of the parts that are most useful to you as a consumer.
Who needs to comply with the GDPR?
Any organisation that processes personal data needs to comply.
I am a self-employed freelancer. It’s just me, a one-man-band. I still need to comply because I handle (a small amount of) personal data.
We’re not starting from scratch
The GDPR builds on existing data protection regulation. Your data is already protected.
- I have talked before about security measures implemented on this website
- I am registered with the Information Commissioner’s Office (ZA235975)
- I use Mailchimp, a recognised and reputable company, to manage my email newsletter and newsletter subscriptions
- My shop is operated by Etsy, who have their own data protection policies to protect customers
- Any purchases or payments not handled through Etsy are managed via Paypal – I don’t have access to your card information
As a customer, GDPR should not make you feel worried. It should remind you that businesses already have obligations to protect your data.
GDPR builds on these and offers you more.
Why are you telling us this?
If you’re reading this and you’re an illustrator, or a freelancer, or responsible for a business of any size, then I hope it has reminded you that GDPR is coming. You need to be ready by the 25th of May.
If you’re my customer, or someone thinking about commissioning an illustration from me, I want this to reassure you that I take my responsibilities seriously. My responsibilities towards the regulations, and my responsibilities to you and your data. When you sign up to my mailing list, or send me your address details, I want you to feel confident that I am looking after that information.
I am lining up those metaphorical ducks, making sure they all quack correctly.
I also plan to write another blog post before GDPR arrives, detailing the steps I have taken to meet the regulations and to keep your data secure.
For now, though, you have probably had enough of GDPR. Attack it in small pieces and it becomes a lot easier to swallow.
Come back soon for more Sherlock, more pictures, and a lot less discussion about complicated EU regulations!
If you’ve read all of this and are thinking that this guy sounds like the sort of person I want to give my personal data to, then you should sign up for my newsletter.
I only need your name and email address to send you occasional emails about my work, special offers, and new products I’m launching.
I am not a data protection expert, nor an expert in EU legislation. I draw pictures for a living.
As such, please make sure you do your own research to find out how you need to comply with these new rules. Nothing in this blog post should be taken as advice or guidance on what you need to do. It exists only to let people know that GDPR is coming soon and to remind you that you need to be ready for it.