An introduction to GDPRAre you ready for the new regulations?
Time waits for no man
And the same can be said for the new General Data Protection Regulation (GDPR) that comes into force on Friday 25th May 2018. It might sound like a long way off right now, but why put off making sure your company’s processes for data protection are up to scratch?
You’ll feel better for it!
Changes to the data protection directive
Much of the current data regulations are still relevant and will be retained in the new GDPR. However, with data being such an integral part of the way we run our lives and our businesses, the GDPR is making important improvements, particularly around the issue of consent.
Data collectors will now be required to explain why data is being stored and what it will use it for. Terms and conditions must be written in clear and plain language so that there can be no ambiguity over the consent given.
What is the territorial scope for GDPR?
Previously, the rules around territories and data protection were unclear. GDPR goes a long way to streamlining this, while also increasing the scope of of its coverage. So if your company that processes personal data in any of the EU states, the new laws apply to you, regardless of your location.
This also means that the actual processing of that data could be taking place anywhere in the world and would still be bound by GDPR.
The General Data Protection Regulation (GDPR) is a new law that has been set out in the EU parliament. We might be leaving the EU at some stage, but the UK government has already signified that we will be taking on the same laws when May comes round in 2018. In fact, the law was adopted back in April 2016, which has been seen as an interim period set aside for companies to become compliant before the deadline.
At the moment, here in the United Kingdom, we follow the rules of the Data Protection Act 1998, which came about after the 1995 EU Data Protection Directive. The new GDPR is intended to supersede that DPA.
Among the many complicated terms contained in the GDPR, ‘personal data’ relates to any piece of information that makes a persona identifiable. This can include things as simple as an individual’s name or their home address. It can also cover things like photographs, email addresses, bank details. The other interesting point is social media posts and information and statements that young people make online, bring us to the Right to Erasure element of the GDPR, which we will come on to later.
Incidentally, the individuals who have data stored on them are referred to in the GDPR as data subjects.
Other PII can include a person’s medical records, or even the IP address of where they live and work.
Interestingly, the new GDPR does not include instructions on the processing of personal data for national security purposes, or those involved with law enforcement, as these organisations operate outside of the EU and UK laws.
Having said that, the GDPR does include a unconnected Data Protection Directive for the police and criminal justice sectors that provides vigorous rules on personal data exchanges at national, European and international level.
Coming back to the Right to Erasure in the GDPR, the new regulation has taken stock of the original ‘right to be forgotten’. This has now become more. Article 17 in the regulation says that “the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or basic rights and freedoms of the data subject which demand security of personal data.”
Essentially, if the data subject can prove that the existence of this data is infringing their rights or putting them at risk, they have a case for this information to be erased. This may include internet search results, or as we discussed earlier on, post on social media.
As well as seeking to ensure data is being adequately protected, the GDPR is now making it essential that all data subjects must be informed of how that data is processed, how long it will be kept for, and who it will be shared with. Controllers will be required to provide this information, where possible, when asked.