The EU GDPR (general data protection regulation) has been brought in to update the UK Data Protection Act as a lot has changed since 1998 when it first came into play. For individuals, the good news is that the Data Protection Act controls how your personal information is used by organisations, businesses or the government. From an organisation and business point of view this is not to be ignored and must be tackled head on by everyone, over the next 385 days.
The new regulation will affect everyone responsible for the storage and/or use of data and follows strict data protection principles which we have outlined below. It will be enforced as of 25th May 2018 and those in non-compliance will face heavy fines of up to 20 million euros or 4% of annual global turnover (whichever is greater).
The principles include;
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. These rights have been taken from a reliable source shown below and are as follows;
1/ The right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
2/ The right of access
Under the GDPR, individuals will have the right to obtain:
3/ The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4/ The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
5/ The right to restrict processing
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
6/The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7/ The right to object
Individuals have the right to object to:
8/ Rights related to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA.
Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
So how can I demonstrate that I comply?
What about the impact of Brexit? Will I still have to comply?
It’s a good question as the legislation has come from the EU however, although it has yet to come into effect, the GDPR has already been implemented in the UK because we were a member state at the time of the legislation’s passing in the European Parliament (14th April 2016). Unless it is repealed during Brexit negotiations, it will continue to be a UK law and in the meantime it’s vital that UK organisations have a grasp on what is to come.
The good news is that we all have until May 25th 2018 to get our data ducks in a row and if you are confused at all then one of our clients, IT Lab has created an audit process to help businesses assess their use of data, mitigate risk and manage data going forward lawfully and fairly. Contact us for more information.
Sources and resources