May 25th â Are You Ready?
On May 25th 2018, Regulation EU 2016/679, better known as the General Data Protection Regulations (GDPR) will come into force in the EU, and will have an impact on organisations worldwide that deal with personal information from EU citizens. GDPR is the successor to the Data Protection Act in the UK, which has been around since the 1980s
What is GDPR
The GDPR is a set of updated regulations on how personal information can be collected, used and stored. At the moment the Data Protection Act states how personal information can be used in the UK, the GDPR supersedes this by specifying more clearly what can and cant be collected, processed and stored, and it includes more rights for the subject of the data, such as the right to be forgotten.
What is Personal Data? The GDPR applies to âpersonal dataâ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Who does GDPR apply to
The regulations apply to everyone who stores information on EU individuals, regardless of where the data is collected or processed. This mean that international companies also have to comply with the GDPR even if they are processing the personal data in a non-EU country. Just like the Data Protection Act, its not just digital information that is covered. If you keep paper documents they are covered too. So its almost certain that if you have a business you will fall under the GDPR. Some common types of personally identifiable information might include:
- Details about your employees
- CCTV footage
- Details about your customers
- Details about your suppliers
Penalties of not being compliant Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or âŹ20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors.
Rights for individuals
Under the GDPR, individuals have several key rights regarding the data you hold on them, they are;
- Right to be informed
An individual has a right to be informed at the point of data collection WHY their data is being collected, HOW it will be used and WHO will be able to access it. The policy wording needs to be clear, legible, transparent and precise. So simply mentioning 3rd parties is no longer sufficient, you need to state who, why and how for each case. - Right of Access
An individual has the right to access the personal information you store about them, including supplementary information, in an easily accessible and understandable format. So if your information contains technical terms they need to be explained in an easy to understand way. - Right to amendment
If the information you have one an individual is incorrect, they have a right to have they rectified . - Right to deletion
Commonly reported as Right to be forgotten the individual has the right to have their personal data securely deleted where there is no compelling reason for its continued processing, if the individual withdraws consent for its continued processing, or when the processing is no longer required. - Right to object
An individual has the right to object to processing of their data for direct marketing (including profiling), for historical or scientific research and for and processing where a legitimate reason exists. - Right to transport
An individuals right to data portability allows them to obtain a copy of their personal data in a format that allows them to reuse the data for their own purposes with a different service. - Right to rescind
An individual has a right to block processing of personal data even after consent was initially given. If a request to restrict processing is received, you are still permitted to store the data, but no processing must be carried out on that data. - Right to profiling
If you are performing automated decision making or profiling on an individuals data, they have the right to request a non-automated processing if the result of the decision is financial or legal.
In most cases, you will have 30 days to respond to an individuals request. Responses must be provided free of charge, and in a readily accessible format. You are also required to pass on the users request to any other organisations that you have passed the original data onto. You need to make the individuals aware of their rights at the point of data collection.
We Can Help
Theres a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant. We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant. Some of the GDPR specific services we offer include:
- Data Protection Officer Services
- Policy Writing
- Data Handling
- ICO Registering
- Process Monitoring
- Process Assessment
Leave a Comment