An introduction to GDPRAre you ready for the new regulations?
Time waits for no man
And the same can be said for the new General Data Protection Regulation (GDPR) that comes into force on Friday 25th May 2018. It might sound like a long way off right now, but why put off making sure your company’s processes for data protection are up to scratch?
You’ll feel better for it!
Changes to the data protection directive
Much of the current data regulations are still relevant and will be retained in the new GDPR. However, with data being such an integral part of the way we run our lives and our businesses, the GDPR is making important improvements, particularly around the issue of consent.
Data collectors will now be required to explain why data is being stored and what it will use it for. Terms and conditions must be written in clear and plain language so that there can be no ambiguity over the consent given, and personal data must be easily accessible to the owner (now referred to as the Data Subject).
What is the territorial scope for GDPR?
Previously, the rules around territories and data protection were unclear. GDPR goes a long way to streamlining this, while also increasing the scope of its coverage. So if your company processes personal data in any of the EU states, the new laws apply to you, regardless of your location.
This also means that the actual processing of that data could be taking place anywhere in the world and would still be bound by GDPR.
At the moment, here in the United Kingdom, we follow the rules of the Data Protection Act 1998, which came about after the 1995 EU Data Protection Directive. The new GDPR is intended to supersede that DPA.
Personal Data and GDPR
Among the many complicated terms contained in the GDPR, ‘personal data’ relates to any piece of information that would allow you to identify a particular individual. This can include things as simple as a person’s name or even their home address. It can also cover things like photographs, email addresses, bank details.The other interesting point is social media posts and information and statements that young people make online, bring us to the Right to Erasure element of the GDPR.
GDPR has taken stock of the original ‘right to be forgotten’ and given it a complete overhaul. Article 17 of the regulation says that:
“The data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or basic rights and freedoms of the data subject which demand security of personal data.”
Who is exempt?
Interestingly, the new GDPR does not include instructions on the processing of personal data for national security purposes, or those involved with law enforcement, as these organisations operate outside of the EU and UK laws.
Having said that, the GDPR does include an unconnected Data Protection Directive for the police and criminal justice sectors that provides vigorous rules on personal data exchanges at national, European and international level.
The rights of the Data Subject
As well as seeking to ensure data is being adequately protected, the GDPR is now making it essential that all data subjects must be informed of how that data is processed, how long it will be kept for, and who it will be shared with. Controllers will be required to provide this information, where possible when asked.
Essentially, if the data subject can prove that the existence of the data you are holding on them is infringing their rights or putting them at risk, they have a case for this information to be erased. This may include internet search results, or as we mentioned earlier on, posts on social media.
Ready to get proactive around GDPR?
We have solutions for your organisation
Want to learn more about GDPR?
Check out our free GDPR resources