The General Data Protection Regulation (GDPR) can be a tough topic to get your head around but it will be vital for organisations to understand and prepare for any changes they will need to make ahead of its implementation on the 25th May 2018.
This date is not affected by the UK’s decision to leave the EU.
You may have a number of questions about GDPR and what actions you and your organisation should be taking ahead of May, we have attempted to answer these here for you, so you can have a strong basis on which to establish your approach to its implementation.
The new regulations will apply to all of those who are considered to be ‘controllers’ and ‘processors’. ‘Controllers’ are people who determine the purposes for, and way in, which any personal data are processed. ‘Processors’ are any other person (other than an employee of the data controller) who processes the data on behalf of the controller. If you are currently subject to the Data Protection Act (DPA), you will most likely be subject to GDPR.
GDPR applies to all personal data; this can mean information such as names, addresses and so on. It will also encompass online personal data, for instance IP addresses, or sensitive personal data which can include information such as genetic or biometric data. GDPR will not apply to some activities, including those covered by the Law Enforcement Directive, processing for the purpose of national security or for household and individual reasons.
Personal data should be:
- Processed lawfully and transparently.
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes of the data.
- Accurate and up to date.
- Kept in a form permitting identification of data subjects for no longer than necessary dependant on the purpose of the data.
- Processed in a way that ensures appropriate security against accidental loss, damage and unauthorised or unlawful processing.
The GDPR outlines how consent must be given freely, must be specific and the individual must be fully informed. To emphasise the importance of consent, it must be given separately to agreeing to Terms and Conditions and it must be simple for the individual to withdraw. When consent involves children, it should be worded in a way that is understandable to a child, and should consider whether the consent of a parent or guardian is necessary, for instance in online services.
- The right to be informed: there should be transparency in how the personal data is used.
- The right of access: anyone concerned should be able to gain access to their own personal data and the stage of processing it’s at.
- The right to rectification: individuals should be able to change any incorrect information and third parties to the data should be told about this.
- The right to erasure: individuals should be able to request the removal of their data, otherwise known as the ‘right to be forgotten’.
- The right to restrict processing: individuals can request that their data be stored and won’t be used any more in processing
- The right to data portability: individuals can obtain and reuse their own data across different services.
- The right to object: this gives you the right to object to processing based on a number of criteria.
- Rights in relation to automated decision making and profiling: this safeguards people against the risk that a potentially damaging decision could be made without any human input.
A DPIA or Data Protection Impact Assessment is a tool which can help organisations find the best way to comply with their own data protection obligations and individuals’ privacy expectations. They are not a legal requirement under the DPA but are promoted to act as an integral part of taking a privacy by design approach. A DPIA should be conducted when: using new technologies and when processing could mean a high risk to rights and freedoms of individuals.
You must appoint a DPO if:
- You are a public authority You carry out large scale systematic monitoring of individuals.
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Breaches: It will be necessary for all organisations to be able to show that that they implement technical and organisational measures to protect data. All organisations will have a duty to report certain types of data breach to the relevant authority and in some cases to the individual concerned.
The transfer of data: There will be new restrictions on the transfer of data outside of the EU, to third world countries or international organisations. This serves to ensure that the level of protection given to individuals by the GDPR isn’t undermined.
National Derogations: Member states can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only if the restriction still respects the individual’s rights as well as a number of other securities, including national security.
Does this mean I can no longer email leads?
You will be able to email leads for now. You will have to have gone through a process of a double opt-in with your leads, however, where you will need to prove that they have agreed to this form of communication. GDPR states that you must have a proven record that the data subject you contact has given you permission to contact them via their details. A single opt-in would allow anyone to use any email address, which is what is trying to be avoided here.
How do I know if I’m compliant?
Easy, take our GDPR compliancy quiz here.
When can I be fined for not being compliant?
When the EU General Data Protection Regulation (GDPR) is enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically.