Six key factors you need to know about the General Data Protection Regulation coming into force on 25 May 2018
The General Data Protection Regulation (GDPR) is fast approaching, yet according to a recent Experian survey over 25% of those asked were ‘not very’ or ‘not at all’ prepared for GDPR.
This statistic seems to show that, despite the publicity surrounding GDPR, many businesses are unaware of what GDPR means for them or are unsure of what to do next.
First of all, you should be aware of why GDPR is being introduced and who it affects.
UK businesses currently operate under the Data Protection Act 1998 (DPA). The world has since become digital, meaning a radical shift in the volume, variety and speed of data that is produced.
And since data has become such a big part of business, the GDPR heavily focuses on protecting individuals and their data, by having transparency and customer interest at its core.
The GDPR applies to all business in the EU that collect, store and process personal data.
It’s important to remember that business data can also be personal data, a sole trader’s email address, for example, may also be their personal email address.
If this applies to your business, it’s in your best interest to be aware of the GDPR and take action sooner rather than later.
The businesses who are able to build trust and be transparent, will be the ones who thrive in the new GDPR era.
Once you have a good idea of what exactly GDPR is and who it applies to, you should be aware of the six key elements. These elements outline some of the most important individuals’ rights, as well as business requirements.
- Rights of Individuals
At the core of the GDPR is the theme of keeping individuals’ rights and interests front of mind at all times. Under the new regulation your customers will have the following rights:
The right to be informed (see below for more information)
The right of access
The right to rectification
The right to erase (see below for more information)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
More information on the rights of Individuals can be found on the Information Commissioner’s Office (ICO) website. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Right to be informed
Businesses must be sure to provide details on how customers information will be processed and why.
Privacy policies also will need updating to reflect this and be in line with GDPR requirements. Don’t forget that any policy changes will need communicating to both new and existing customers.
- Right to erasure (or ‘right to be forgotten’)
Individuals will now be able to request that their data is deleted.
This doesn’t give people an absolute right to be erased or forgotten, however it is possible under certain circumstances. For example, situations where there is no longer a compelling reason for the data to remain on file.
There are also occasions where this request can be refused. That is, when personal data has been processed for one of the following reasons:
To exercise the right of freedom of expression and information
To comply with a legal obligation for the performance of a public interest task or exercise of official authority
For public health purposes in the public interest
Archiving purposes in the public interest, scientific research historical research or statistical purposes
The exercise or defence of legal claims
- Data protection officer
As part of the new GDPR, it is a requirement that under certain circumstances a data protection officer (DPO) must be appointed.
This requirement would apply if, for example, you are carrying out large scale processing of special categories of data, or processing data relating to criminal convictions or offences. Public authorities will also need to appoint a DPO.
Of course, you may still appoint a DPO even if you’re not required to and this may be something to consider, to ensure that you have the resources and skills to manage your other GDPR obligations.
More information on DPOs can be found on the ICO website.
- Obligations on data processors
According to the ICO, a data controller “determines the purposes and means of processing personal data” and a data processor “is responsible for processing personal data on behalf of a controller”.
Under the DPA, the statutory obligations are on data controllers only.
However, the GDPR sees data processors being given new responsibilities around the security of personal data during processing activities. Data Processors will also be legally accountable for compliance outside of contract terms.
- Data protection impact assessment
A data protection impact assessment (DPIA) is a tool which the GDPR promotes so that businesses can effectively assess and comply with their own data protection obligations.
They allow you to identify and resolve any issues that may lead to non-compliance and the resulting costs and reputational damage that may ensue.
You are required to conduct a DPIA where the processing of data is likely to result in high risk to the rights and freedom of Individuals