T: 01202 779455M: 07808 666380E: Contact us
GDPR
On 25 May 2018 most processing of personal data by organisations will have to comply with the General Data Protection Regulation. Use ISO Certification Limited to help you get prepared.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years – we’re here to make sure you’re prepared.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
On the 25th May 2018 – the new General Data Protection Regulations (GDPR) will come into force. Yet, according to recent research by Experian, nearly half (48%) of UK businesses are still not prepared for the changes.
The new rules are being introduced in response to advancements in technology, data collection, and the increasing threat of cyber-attacks and data breaches. The GDPR includes some significant enhancements on previous regulations, giving consumers greater control over their data, while increasing the onus on companies to keep this information safe.
Key changes include a shift from the allowance of “opt out” consent to the requirement for consent to be explicitly “opt in”, as well as greater powers for customers to access their data. There is also a greater obligation for businesses to document what they’re doing to protect customer data, while incorporating ‘privacy by design’ into everything they do.
The potential fine for non-compliance will also increase, with fines of up to £20m or 4% of annual turnover – whichever is higher. So, if you’re not already on top of your responsibilities, it’s time to get prepared. Here’s an outline of your responsibilities, highlighting the key changes under the EU GDPR:
What data is covered?
Personally Identifiable Information (PII) is anything that can be used to identify an individual, including their name, email address, telephone number, date of birth or anything more specific such as an IP address, GPS data or health information.
Register with the ICO
If you plan to collect, store and/or use personal information, you must inform the Information Commissioner’s Office (ICO). You can find out more about registering with the ICO here. There are a few exceptions, but most businesses need to register.
The key principles that you must comply with are:
-
Process data justly and fairly
You must have a good reason for storing and using personal data. The data may be necessary to providing your product or service – therefore incorporated in your contract with the client – or the customer must have given their permission for you to store and use it. And under the new rules it must be an ‘opt in’ rather than an ‘opt out’ – no sneaking a tiny opt-out box where nobody can read it!
-
Only use data for specified lawful purposes
This means being reasonable and transparent about how you’re using the data, not doing anything unlawful or that your customers aren’t going to like, and putting a privacy policy in place that is easily accessible.
-
Data must be adequate and not excessive
You should only hold as much information on individuals as you need. Anything you don’t need should be destroyed.
-
Personal data should be accurate and up-to-date
If you’re holding a lot of data, it may be tricky to ensure it’s all completely accurate. But you need to take reasonable steps to ensure it is as accurate and up-to-date as possible, putting processes in place to update or destroy old or inaccurate records.
-
It shouldn’t be kept longer than necessary
There is no minimum or maximum length of time that you can keep personal data, but you should consider how long you need it and destroy it once it’s fulfilled its purpose. This also helps with point four, as it reduces the chance of you holding out-of-date, inaccurate data.
-
Security
You must have sufficient security to avoid data being either deliberately or accidentally compromised, including both technical security and robust processes and procedures, including training your staff sufficiently. You must also be ready to respond to a breach if the worst happens.
-
It should be processed in accordance with individuals’ data rights
There are now eight rights to be aware of, enhancing on the six listed in the Data Protection Act (DPA). These cover an individual’s right to have access to their data, have it erased, restrict usage and move it from one IT provider to another. Companies also have less time to comply with customer requests than under the DPA – only one month, rather than 40 days.
-
Accountability
This aspect of the law has been strengthened significantly in the GDPR, stating that businesses must put in place measures to show that they are complying with the rules. This includes tools such as internal data protection policies, staff training, internal audits, and reviews of internal HR policies. The idea is to carry out ‘privacy by design’, whereby data protection is hardwired into the processes and behaviours of the organisation. If you carry out large-scale tracking of individuals, or are involved In processing specialist data then you will also need to appoint a Data Protection Officer.
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 – at which time those organisations in non-compliance will face heavy fines.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.