The EU GDPR (general data protection regulation) has been brought in to update the UK Data Protection Act as a lot has changed since 1998 when it first came into play. For individuals, the good news is that the Data Protection Act controls how your personal information is used by organisations, businesses or the government. From an organisation and business point of view this is not to be ignored and must be tackled head on by everyone, over the next 385 days.
The new regulation will affect everyone responsible for the storage and/or use of data and follows strict data protection principles which we have outlined below. It will be enforced as of 25th May 2018 and those in non-compliance will face heavy fines of up to 20 million euros or 4% of annual global turnover (whichever is greater).
The principles include;
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. These rights have been taken from a reliable source shown below and are as follows;
1/ The right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
2/ The right of access
Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
- These are similar to existing subject access rights under the DPA.
3/ The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4/ The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
5/ The right to restrict processing
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
6/The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7/ The right to object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
8/ Rights related to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.
Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
So how can I demonstrate that I comply?
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
What about the impact of Brexit? Will I still have to comply?
It’s a good question as the legislation has come from the EU however, although it has yet to come into effect, the GDPR has already been implemented in the UK because we were a member state at the time of the legislation’s passing in the European Parliament (14th April 2016). Unless it is repealed during Brexit negotiations, it will continue to be a UK law and in the meantime it’s vital that UK organisations have a grasp on what is to come.
The good news is that we all have until May 25th 2018 to get our data ducks in a row and if you are confused at all then one of our clients, IT Lab has created an audit process to help businesses assess their use of data, mitigate risk and manage data going forward lawfully and fairly. Contact us for more information.
Sources and resources