GDPR for Radio Stations: What You Need to Know

With the General Data Protection Regulation (GDPR) coming into effect this month, everything regarding laws about personal data privacy has changed and it can all seem a little confusing. We put together this guide of what you need to know and what actions you may have to take.

What is GDPR?

GDPR is a regulation that aims to protect people's personal data. Most of the content of the new GDPR is relatively similar to the current Data Protection Act (DPA), so if you are in line with this act then you will have a lot less to worry about. However, the two are not exactly the same and some things have changed, meaning there will be new steps and changes for you to make.

What Should I Consider?

Information You Hold

Documentation is extremely important. Make sure you are documenting what personal data you hold, where you gained the information and where you are sharing that information. The GDPR means that you’ll have to keep records of processing activities, so you sharing data with other companies.

Privacy Policies

Review your current Privacy Policy if you have one. Make sure you place any necessary changes before the GDPR comes into play, such as, explain your lawful basis for processing data, how long you will hold data and that your consumers have a right to complain to the ICO if they think there is an issue with the way you are handling data. If you don’t have one, you will have to make one by following this guide: Privacy Policy Guide.

Protecting Rights

Make sure you have covered all rights that your consumers have. This includes how you will delete personal data and how you will provide data electronically. The GDPR mentions the following rights for consumers:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be part of automated decision-making, or profiling

For the most part, the GDPR covers most of the same rights as the DPA already did, but with a few enhancements on some.

Access Requests

The new rules regarding Subject Access Requests are as follows:

• Most cases you won’t be able to charge for complying with a request.
• You have one month to comply, not 40 days.
• You can refuse or charge requests that are unfounded or excessive.
• If you do refuse a request, you must state why and let them know they have a right to complain to the supervisory authority and to a judicial remedy, within one month.

Lawful Basis for Processing

It should be made possible to review the types of processing activities you carry out and to see your lawful basis for carrying out these activities. You need to document this in order to comply to GDPR.

Consent

Consent must be given freely, and made specific, informed and unambiguous. There must be a definite opt-in. It must be separate from terms and conditions, with a simple way provided to withdraw consent.

Children

If your radio station is one that is designed for children then this part will involve you. The GDPR has said that the age where a child can give consent for themselves is 16. If you offer a service to children below this age, you will need to make sure that consent is given from a parent or guardian on their behalf.

Data Breaches

Make sure to put procedures in place to be able to detect, investigate and report a personal data breach. You must notify the ICO of a breach if it would result in a risk to their rights and freedoms, e.g. discrimination, defamation, financial loss, breach of confidentiality or any other severe risk.

Data Protection Impact Assessments (DPIAs)

Under the GDPR, DPIAs have been made mandatory in circumstances where data processing is likely to pose a high risk to consumers, for example:

• New technology being deployed.
• Processing a large amount of special data categories.
• Processing is likely to significantly effect consumers.

What Can I Do?

As an online radio station, there isn’t too much to worry about. If you have a mailing list for example, you will have to ask your subscribers to confirm they are still interested in receiving it.

Make sure if you hold peoples personal data in any way, you have a Privacy Policy written out detailing all of the relevant information about how you store it, how it's deleted, any processing you do with the data, and what rights the individuals have. This includes submitting apps to iOS and Android, as both require the individual to provide their data when they download your app. You will need to write up a Privacy Policy for your apps, similar to how we've done it here.

Is GDPR affecting your radio station? Let us know in the comments below.