The General Data Protection Regulation (GDPR) will come into effect next year, prompting all businesses to review how they capture, handle and store the data of individuals.
Note: the following article represents our current understanding of GDPR and only provides an insight into some of it’s requirements. Guidance should be sought from the Information Commissioner’s Office (ICO) for next steps.
What is GDPR?
Effective from 25th May 2018, the regulation will affect businesses that capture individuals’ data within the EU. GDPR’s general premise empowers individuals, by affording them greater control of their data and what companies can do with it. With this date arriving next year, businesses are being encouraged to review their protocol in advance of the date.
What Should I be Aware of?
According to the GDPR, there are a number of Data Protection Principles your business needs to take in relation the data it holds about individuals, which is covered in depth by the Information Commissioner’s Office. This includes:
- Fair and Lawful – having a legitimate reason to collect and use personal data, as well as using data in way that does not have unwelcome effects on the individual concerned. You should also be transparent about how data is handled
- Purpose – Being clear about the reasons for collecting personal data and what will be done with said data
- Data Minimisation – ensuring that an adequate amount of data is held for its purpose and not more than is required
- Accuracy – also ensuring that information held is up to date
- Storage Limitation – Ensuring data is only held for as long as is required
- Integrity and Confidentiality – Ensuring all data is kept private and adequately protected.
- Accountability – Ensuring your business is generally responsible for the data is holds and demonstrate it is acting in accordance with these principles when required.
When Can You Process Personal Data?
- With Consent – Consent must now be affirmative, ensuring the likes of check boxes are now “opt-in”. Clear transparency of what will be done with personal data must be evident, along with separating this process of capturing data from other unrelated terms and conditions. Unsubscribing must also be as simple a process as subscribing.
- Contract – In the instance you are providing a contract of goods and services to a customer/client, you can process personal data by adhering to the data protection principles.
- Legitimate Interests – this is relevant should there be legitimate reason for holding personal data. The ICO can provide additional information on these circumstances.
You must also clearly display your privacy policy to individuals, including contact details of those controlling the data.
Changes to the Individual
The individual (or data subject) is more empowered for how their data is managed. This includes:
- The way an individual can request their data –
- The individual’s right to erasure – This is acceptable if data is not longer relevant or necessary, or if consent has been withdrawn, or finally if data had been unlawfully captured and processed. However, this may be contestable according to some legitimate grounds.
- Other rights – In some instances, individuals can also request for processing to be ported to another supplier, restricted or corrected.
What Do I Need to do Next?
Businesses that are fully compliant with current data protection regulations will need to undertake a number of steps to check the data held is still fit for purpose. Additionally, some measures will need to be undertaken to ensure data capture is compliant. This includes:
- Awareness – ensuring awareness exists within the decision makers in your business in order to examine areas where your business may not be compliant
- Accountability – Ensuring the staff resources and framework of procedures are in place to legitimately capture, hold and process data
- Information you Hold – Conducting an audit to examine current data held and how it has been captured/processed
- Impact Assessments – ensuring current data processing activities meet the principles, and implementing data protection by design for new practices/software
- Speaking with your Data Processors – Ensuring that any third parties who access personal data are also compliant
The ICO also have a number of resources available to support your review process.
How much time do I have?
With an official date of 25th May 2018, businesses are left with approximately 7 months (correct at time of writing) to ensure their protocol is up to legal standard.