The laws underpinning The General Data Protection Regulation (GDPR) came in to force on the 25th of May 2018. Whilst we’ve all heard of GDPR, many of us don't really understand what it actually means. This guide has been written to help you understand what it is and how it'll impact upon you.
What is GDPR?
The General Data Protection Regulation (GDPR) was created by the European Parliament, the Council of the European Union and the European Commission. They intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
GDPR aims primarily to give control back to citizens and residents over their personal data. With the legislation designed to simplify the regulatory environment for international business by unifying the rules within the EU. It became enforceable from 25 May 2018 after a two-year transition period. Unlike a directive, it does not require national governments to pass any enabling legislation. Meaning it instantly became directly binding and applicable to UK businesses.
Understanding GDPR
Understanding the key elements may be a lengthy process for any medium to large enterprise. The most important things to consider are:
- auditing current data protection measures at your organisation
- ensuring you have documented all the information you have
- ensuring all your procedures and future data collection are GDPR compliant
Smaller businesses may find themselves having to outsource this process to a a third-party provider. If you are an SME, it may be preferable to call on the services of a security firm or a trusted consultancy business.
One key aspect for businesses to watch out for is the readiness of their security alert systems to identify and react to security breaches quickly. This is because, under the new GDPR, data breaches must be reported within 72 hours. An important element of GDPR is the need to keep up with all these additional requirements. With this in mind, businesses will also need to appoint a Data Protection Offer who will be responsible for the way the organisation handles and processes personal data.
It is also worth noting that controllers must ensure that all personal data is processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled, the data is no longer required and should therefore be deleted.
What qualifies as personal data under GDPR?
Anything that previously counted under the Data Protection Act qualifies as personal data under GDPR.
Under GDPR though, the definition of personal data has been expanded substantially. This is to reflect the ever-increasing types of data that organisations now collect about people. This will include, but not limited to, IP address, economic, cultural and mental health information. Pseudonymised personal data may also fall under the GDPR rules, depending on how easy or hard it is to identify the individual it relates to.
How do I get consent under the GDPR?
Rather than the passive acceptance within some current models where you must opt-out or untick pre-ticked boxes, future consent must be active meaning the data subject must opt in to consent.
Records must be kept on how and when an individual gave consent. Individuals must also be able to withdraw consent at any time of their choosing. All organisations will need to bring their current systems up to date to meet these criteria or they will have to stop collecting data under that model when GDPR comes into force on 25 May 2018.
What is the 'right to be forgotten'?
Individuals also have the right to demand that their data is deleted if it's no longer necessary to the purpose for which it was collected. This is known as the 'right to be forgotten'. Under this rule, they can also demand that their data is erased if they've withdrawn their consent for their data to be collected, or object to the way it is being processed.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
Will Brexit change anything?
Some people may believe that due to the UK leaving the EU that GDPR may not apply to them, but this is simply not true. GDPR became enforceable prior to Brexit as it came into force during the negotiation phase. In short, this means that GDPR must be adhered to under British law, with similar legislation likely to be put in place shortly.
For more about GDPR
The above is provided as an overview in detailing some aspects for the new GDPR coming into effect 25 May 2018. This does not reflect the full impact and compliance requirements placed upon individuals or organisations collecting personal data from individuals.
Always seek professional advice for legislation as important as GDPR. However, if you are conducting your own research we have provided two great resources:
Rules for the protection of personal data inside and outside the EU
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
In line with GDPR - Richard is the Data Protection Officer at Talent Locker.