The GDPR – or General Data Protection Regulation – comes into force on 25 May 2018. It’s the biggest change to record control in the UK since the introduction of the current Data Protection Act in 1998.
And why is it here?
The GDPR will ensure that – should a company lose data or have a security breach in this age of cyber-attack – that company can accurately know its extent and be confident that it had permission to hold that data in the first place. While the Data Protection Act came into force at the beginning of the growth of the internet, it’s now simply not far-reaching enough to handle the scope of information media that businesses now handle. In response, the GDPR moves in, to address the challenges of the digital age, where documents are held both on paper and in countless media online.
Key points
-
Significantly higher fines can be imposed on organisations failing to comply
-
There’s a broader definition of what constitutes ‘personally identifiable information’
-
The rules for consent become more stringent
-
Organisations now must respond more quickly to access requests
-
Data collection management and tracking must become much more transparent
-
Accountability: organisations will have to be able to document how they comply to the GDPR.
Obtaining Consent
Companies who want to use or keep personal information will now have to meet more stringent rules governing how that information can be used. The way in which consent is obtained and recorded will be significantly more transparent. Data ‘nudging’, like pre-ticked consent boxes, and double negative opt outs are specifically ruled out. You might already be starting to see some of these changes being rolled out by forward-thinking businesses.
Individuals will have these rights
-
The right to be informed.
-
The right of access.
-
The right to erasure (The right to be forgotten). This is NEW
-
The right to rectification.
-
The right to erasure.
-
The right to restrict processing.
-
The right to data portability. This is NEW
-
The right to object.
-
Rights in relation to automated decision making and profiling.
The Subject Access Request or SAR
In addition, from 25 May 2018, every individual will have the right to submit a Subject Access Request (SAR) to any organisation, business, public body or charity to find out what information is held about them. That organisation then needs to respond, within one month, with full details of what information they hold, and – crucially – why they hold it.
What actually counts as personal information?
We must all think beyond a name and address. Personal information includes things like dates of birth, NI numbers, CV’s, vehicle reg. numbers, postcodes, passports, IP addresses, e-mail accounts and associated address/contacts, web and social media content, credit cards, certificates, phone numbers, contact lists in mobile phones, photographic/electronic images, biometrics, genetics and anything else that can potentially identify a living person.
Why should organisations bother?
It’s simply good business to demonstrate respect for customer privacy, especially these days; people care about their details. Handling information appropriately has become a telling indicator of business quality. But – perhaps yet more compelling – is that failure to comply with the GDPR results in fines of up to 4% of global turnover. And if that’s not bad enough, spare a thought to the damage to your reputation and loss of public confidence in your brand. Yikes.
How do we begin?
The starting point for every organisation will be identify and understand what personally identifiable information they have and where it is stored. Is it backed up? Has appropriate consent been obtained and recorded? For small organisations, checking on this may quickly reveal that they have little to worry about. For more complex organisations, the task will be greater, but far from unmanageable.
How we can help
The good news is, we can help remove the mystery, get you up to speed with GDPR and can help you be prepared for 25 May 2018. We can:
-
Answer questions
-
Help to explain what’s practically required
-
Provide information and guidance
-
Provide implementation consultancy
-
Carry out data audits
-
Undertake a gap analysis
-
Deliver GDPR awareness training for managers and staff
-
Help in developing your Privacy Policy
Want to find out more?