What is GDPR?
EU General Data Protection Regulation (GDPR) came into force in May 2018 and forces businesses to think differently about how they manage and store data.
General Data Protection Regulation – the basics…
EU General Data Protection Regulation (GDPR) came into force in May 2018 and forces businesses to think differently about how they manage and store data.
In the UK, GDPR has replaced the Data Protection Act 1998. It is designed to give individuals more control over how businesses use their data and has introduced penalties for companies who fail to comply with the Act.
It also ensures data protection law is consistent across the EU. The ICO (Information Commissioners Office) will monitor activity to ensure individual companies’ policies are fully compliant.
What is classified as Personal Data?
All aspects of personal data that were included under the Data Protection Act still applies under GDPR. The EU has, however, substantially expanded the definition of personal data under GDPR which now includes new types of personal data such as IP addresses.
Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
When can individuals access the data you store?
GDPR provides individuals with the ability to request access to the data you hold on them at ‘reasonable intervals’ to which you have a month to respond. Companies must clearly identify how they collect information, what purposes they use it for, and the ways in which they process the data.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. They can also ask for that data to be changed if it is incorrect or incomplete at any time. To streamline this process, it is advisable for businesses to provide secure, direct access for individuals to review what information the company holds about them.
The ‘Right to be Forgotten’
GDPR makes it clear that people can have their data deleted at any time if it’s no longer relevant and the company no longer needs it for the purposes it was collected for. If the data was collected under the consent model, an individual can withdraw this consent whenever they like.
They might do so because they object to how an organisation is processing their information, or simply don’t want it collected anymore.
Can individuals move their data?
Yes, and it is your responsible to do this, quickly. The legislation means individuals can expect you to move their data within four weeks and share it in an open, common format such as CSV, to ensure it can be read by another provider.
What happens if we suffer a data breach?
It’s your responsibility to inform the Information Commissioners Office of any data breach that risks people’s personal rights within 72 hours of your organisation becoming aware of it.
Your initial contact with the ICO should outline the nature of the data that’s affected, how many people are impacted, what the consequences could mean for them, and what measures you’ve already actioned or plan to action in response.
But even before you call the data protection authority, you should tell the people affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
If you can demonstrate that your business is putting procedures in place to ensure your business is compliant with GDPR, the ICO would likely not issue as high a fine in the event of a breach as it would otherwise.
