Are you GDPR Ready?

“,”serverSync”:”2018/04/23 12:30:15″}’>
GDPR General Data Protection Regulation Logo

May 25th – Are You Ready?

On May 25th 2018, Regulation EU 2016/679, better known as the General Data Protection Regulations (GDPR) will come into force in the EU, and will have an impact on organisations worldwide that deal with personal information from EU citizens. GDPR is the successor to the Data Protection Act in the UK, which has been around since the 1980’s

What is GDPR

What is Personal Data?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR is a set of updated regulations on how personal information can be collected, used and stored. At the moment the Data Protection Act states how personal information can be used in the UK, the GDPR supersedes this by specifying more clearly what can and can’t be collected, processed and stored, and it includes more rights for the subject of the data, such as the right to be forgotten.

Who does GDPR apply to

The regulations apply to everyone who stores information on EU individuals, regardless of where the data is collected or processed. This mean that international companies also have to comply with the GDPR even if they are processing the personal data in a non-EU country.

Just like the Data Protection Act, it’s not just digital information that is covered. If you keep paper documents they are covered too.

So it’s almost certain that if you have a business you will fall under the GDPR.

Some common types of personally identifiable information might include:

  • Details about your employees
  • CCTV footage
  • Details about your customers 
  • Details about your suppliers

Data Breaches

Penalties of not being compliant
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors.

If you suffer a data breach, you have a responsibility to report it to the ICO within 72 hours of becoming aware of the breach. If it’s likely the breach could result in an individual’ rights or freedoms being affected, you must alert those individuals without delay.

You need to make sure your processes regularly check for any breaches of policy, and you need to have documented processes in place to identify affected users in a breach, and you need to keep a log of all data breaches you suffer.

A breach is defined as “The unlawful destruction, loss, alteration, disclosure or access to personal data, both deliberate and accidental, that has affected the confidentiality, integrity or availability of the personal data.” So even the accidental deletion of data by an member of staff with authorised access to the data, is considered a breach of policy.

Rights for individuals

Under the GDPR, individuals have several key rights regarding the data you hold on them, they are;

  1. Right to be informed
    An individual has a right to be informed at the point of data collection WHY their data is being collected, HOW it will be used and WHO will be able to access it.
    The policy wording needs to be clear, legible, transparent and precise. So simply mentioning ‘3rd parties’ is no longer sufficient, you need to state who, why and how for each case.
  2. Right of Access
    An individual has the right to access the personal information you store about them, including supplementary information, in an easily accessible and understandable format. So if your information contains technical  terms they need to be explained in an easy to understand way.
  3. Right to amendment
    If the information you have one an individual is incorrect, they have a right to have they rectified .
  4. Right to deletion
    Commonly reported as ‘Right to be forgotten’ the individual has the right to have their personal data securely deleted where there is no compelling reason for its continued processing, if the individual withdraws consent for its continued processing, or when the processing is no longer required.
  5. Right to object
    An individual has the right to object to processing of their data for direct marketing (including profiling), for historical or scientific research and for and processing where a legitimate reason exists.
  6. Right to transport 
    An individual’s right to data portability allows them to obtain a copy of their personal data in a format that allows them to reuse the data for their own purposes with a different service.
  7. Right to rescind
    An individual has a right to block processing of personal data even after consent was initially given. If a request to restrict processing is received, you are still permitted to store the data, but no processing must be carried out on that data.
  8. Right to profiling
    If you are performing automated decision making or profiling on an individual’s data, they have the right to request a non-automated processing if the result of the decision is financial or legal. 

In most cases, you will have 30 days to respond to an individual’s request. Responses must be provided free of charge, and in a readily accessible format. You are also required to ‘pass on’ the users request to any other organisations that you have passed the original data onto.

You need to make the individuals aware of their rights at the point of data collection.

We Can Help

tinsleyNET IT Servces Consultants #WeCanHelpThere’s a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.

Some of the GDPR specific services we offer include:

  • Data Protection Officer Services
  • Policy Writing
  • Data Handling
  • ICO Registering
  • Process Monitoring
  • Process Assessment

GDPR General Data Protection Regulation

        <a href="mailto:it@tinsleynet.co.uk" role="button">
                    it@tinsleynet.co.uk
                </a>
        <a href="tel:+447825650122" role="button">
                    07825 650122
                </a>
        <a href="/contact" role="button">
                    Contact Us
                </a>

0 Comments

What are your thoughts?