General Data Protection Regulation
Regulation EU 2016/679, known as the GDPR or The Data Protection Act 2018 in the UK relates to the use of individuals personally identifiable information.
What is Personally Identifiable Information?
Any information that can be used to identify an individual directly or indirectly is personally identifiable information and so covered under the GDPR.
Common types of Personally Identifiable Information are;
- Names
- Email Address (personal ones and business ones if they identify the individual such as joe.blogs@company.com)
- Address
- Unique Reference Numbers
- Registration Plates
- Photos
- Phone Numbers
Some types of Personally Identifiable Information have a special category status, these include things like;
- Health Information
- Bio-metric Information
- Sexual information
- Religious Information
If you handle any of the special category information, you need to provide additional levels of security and have explicit consent from the data subject to process it.
Do I handle Personally Identifiable Information?
If you have any of the following, it’s likely that you are handling Personally Identifiable Information;
- Employee Information
- Customer Information
- Prospects Information
- Suppliers Information
What do I have to do to be compliant?
You need to make sure you are registered with the ICO as being compliant to handle Personally Identifiable Information.
You need to make sure you know how your organisation is processing information under the GDPR, where is it coming from, how is it being used, who has access to it, where does it go, how long do you hold it for?
You need a Privacy Policy to document how your are managing the security of the information you have, in this you need to identify the lawful basis for processing the information, and keep records of how you have come to the lawful basis, how you have processed information, and how you have ensured the security of the information.
You need a Privacy Notice to notify the individuals who’s information you have, about how you have obtained that information, how you’re going to use it, your lawful basis for using it, how you’re going to protect it and how they can submit requests to update or prevent processing on it.
You also need a means of monitoring your information store, either paper based or digital, that can identify when a breach happens. A breach could be as simple as accidentally deleting information or it could be as serious as someone unauthorised getting access to the information.
Responding to individual requests
Individuals have various rights to their data depending on your lawful basis for processing. You are required to respond to these requests in 30 days, and without any fee. You must provide any information in an easy to access format, and explain any technical terms used.
Responding to individual requests is something you should have a documented process for, this will save you time and trouble if and when you receive any requests, and will help keep you compliant with the GDPR.
#WeCanHelp
There’s a lot of work that needs to be done getting your organisation GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.
We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.
General Data Protection Regulations
Data Protection Act 2018
The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.
If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.
Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.
If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.