GDPR (General Data Protection Regulation) comes into force on 25th May 2018
|Author: JETenterprises UK Limited||Published: 13th March 2018 12:33|
Is your company ready?
The GDPR (General Data Protection Regulation) is effectively an update to the UK’s Data Protection Act. It sets out the requirements for companies who hold personal data – whether that is on staff, customers or others, and also the rights of the individual to access the information held about them.
Very briefly, the GDPR was ratified by the EU in mid-2016 and gave member countries two years to implement the requirements. In the UK, this is led by the Article 29 Working Party and the Information Commissioners Office (ICO). The regulations will be enforced from the 25th May this year and it is essential that companies understand the requirements and have put in place procedures to clearly manage their responsibilities – not only to avoid fines, but to give staff, customers and the general public, confidence that their personal data is being responsibly managed and is not being unnecessarily shared.
Who Does GDPR Apply To?
The GDPR applies to anyone who manages personal data, or who sets out what a company does with personal information.
What Do Companies Need to Do?
Companies must proactively gain consent to hold personal data. Your terms for consent must be clear and not buried in the small print with ‘legalese’ language. Consent must be given and freely withdrawn at any time.
Companies must notify the affected people within 72 hours of a data breach. Failure to report within these timescales will lead to fines.
Right to Request Information
If any of your users request information on the data that you hold on them, you must have procedures in place to be able to provide, for free, a detailed report on the information held and what it is used for.
Right to be Forgotten
Once the personal data you hold is no longer required, or if consent is withdrawn, the user has the right to request that the data is completely erased. Again, you must have procedures in place to ensure that this is completed.
Privacy by Design
Companies have to design their systems with the proper security protocols in place from the start. Failure to do so will result in a fine.
Potential Data Protection Officers
In some cases, you may need to appoint a data protection officer (DPO). The requirement for a DPO depends on the size of your organisation and the level at which you process and collect data.
Your Rights As An Individual
The GDPR also gives you, as an individual, clear rights under the new regulations.
The right to be informed
Any organisation that holds personal data on you, whether provided directly by yourself or by a third party, must provide information on what data they hold and what they use it for. Any consent requests must be clear and jargon-free.
The right of access
You will have the right to obtain confirmation that your data is being processed, access to your personal data and any other supplementary information.
The right to rectification
You are entitled to have personal data rectified if it is inaccurate or incomplete. If the company has disclosed the personal data in question to third parties, they must also inform them of the rectification where possible. The company must also inform you about the third parties to whom the data has been disclosed.
The right to erase
The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing – where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; when you withdraw consent; if you object to the processing and there is no overriding legitimate interest for continuing the processing; the personal data was unlawfully processed (ie otherwise in breach of the GDPR); the personal data has to be erased in order to comply with a legal obligation or the personal data is processed in relation to the offer of information society services to a child.
The right to object
You can object to a company using your data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
The Information Commissioners Office (ICO) has developed checklists to help you assess how ready your organisation is. They can be seen here.
Download the ICO guide – 12 steps to GDPR – here.
For those you who want the intimate details – download the full guidance here.
Please get in touch if you would like to know how we can help you fulfil your responsibilities under GDPR please call 0800 242 54 24 to arrange an appointment.
Article by JETenterprises UK Limited
For more information on their IT consultancy and services please see their website: JETenterprises UK Limited