What is GDPR?
The General Data Protection Regulation (or GDPR) is a large change to data protection regulations and will supersede the current Data Protection Act (DPA) from 1998. Overall, the GDPR increases privacy rights for individuals and imposes stricter laws to ensure that organisations securely manage any personal data that they hold.
The new act will come into effect on 25 May 2018 and while it may still be a few months away it will require time-consuming changes, so avoid delay and start your preparations. While organisations will hear ‘data’ and immediately go to their IT teams, this legislation impacts various teams such as Marketing and Accounts and is an organisation-wide commitment; adding further pressure to avoid delaying.
What is personal data?
Personal data means data that can identify an individual, which can include anything from email addresses to religious beliefs. While the definition can be fairly vague the ICO have produced a quick reference guide (8 pages) or a much more detailed guide (30 pages).
Download our Readiness Checklist
You can download our GDPR overview and checklist to help on your compliancy journey here.
How it helps individuals:
- Individuals have the right to access their data and can request a copy of their personal data
- Individuals have the right to be forgotten and their personal data deleted
- Individuals must give consent for an organisation to process their personal data
- Individuals have peace of mind that organisations are protecting their data, reducing fears of breaches and data sharing
What this means for organisations:
- You must obtain clear consent to process personal information
- You must clearly state how you will use this data and if it will be shared
- You cannot allow a ‘soft’ opt-in such as automatically ticking an opt-in box
- You must keep records of individual opt-in evidence and may be required to show this data
- It must be easy for individuals to withdraw their consent
- You should govern how your data is used and accessed
- You should keep records regarding data processing, such as consent dates and what the data is used for
- You should be able to easily export and/or delete personal data if requested
- Your organisation must protect personal data to prevent data attacks and breaches
- You must ensure a high level of data security is in place
- You must have measurements in place to detect and respond to any breaches
- If you suffer a breach then you must notify the authorities within 72 hours; this does not just mean hacking, but also human error, such as an employee sending information to the wrong person
- Personnel and employees need to be trained and aware of how to protect personal data
- Certain organisations will need to assign a Data Protection Officer (DPO)
- You must define data retention and deletion policies
- You must define roles and responsibilities so only those that need to access personal data can
- You should audit and update policies regularly
- You should review roles and responsibilities regularly to ensure only those that need access to personal data have