Data protection regulations are changing.
We are sure most of you are aware that come 25th May 2018, the way data is handled and collected is changing. The General Data Protection Regulations (GDPR) is an EU-wide directive, which will affect all businesses (no matter the size). If your company is found to not be compliant, you potentially face huge fines, so it is best to make sure you are prepared.
What Information does GDPR apply to?
Personal data means any information relating to an identifiable person, who can be identified (directly or indirectly) by reference to a particular identifier.
Sound a bit complicated? It did to us too at first, but the definition from the ICO provides a variety of personal identifiers to constitute personal data, including: name, ID number, location data or online identifier.
GDPR also relates to automated personal data and manual filing systems. This could include any manual records you have containing personal data.
Personal data that has been pseudonymised (e.g. key-coded) can fall within the scope of GDPR, depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive Personal Data
GDPR refers to Sensitive Personal Data as “special categories of personal data” which includes genetic and biometric data, where processed to uniquely identify an individual.
Ok, so what else?
The GDPR sets a high standard for consent. Consent means offering individuals real choice and control. GDPR will require a positive opt-in for individuals. What does that mean? It means that you will no longer be able to use pre-ticked boxes or any other default method of consent. Consent will need to be explicit and requires a very clear and specific statement of consent.
Remember: be clear & concise.
It is also worth noting that consent must now be kept separate from other terms and conditions.
The GDPR will not just affect you as a business, but also as an individual. So, it makes sense for you to know the rights of individuals:
- Right to be informed: individuals have the right to be informed about the collection and use of their data.
- Right of access: you have the right to access your personal data and supplementary information.
- Right to rectification: simply, you have the right to have your data rectified. This can be done if your data is incorrect or incomplete.
- Right to erasure: no, you do not have the right to a personal concert with the band…It means your right to be forgotten. You have the right for your personal data to be removed when there is no compelling reason for its continued processing.
- Right to restrict processing: individuals have the right to block/suppress the processing of their personal data. They can allow businesses to store the data, but they are not allowed to process it.
- Right to data portability: allows individuals to obtain and reuse their personal data for their own purposes across different services. Meaning, they have the right to move, copy or transfer their personal data from one IT environment to another safely and securely.
- Right to object: individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official author (including profiling);
- Direct marketing (including profiling);
- Processing for purposes of scientific/historical research.
- Rights in relation to automated decision making and profiling: GDPR has provisions on:
- Automated decision making (i.e. with no human involvement)
- Profiling (automated processing of personal data to evaluate certain things about an individual). This can be part of the automated decision-making process.
We know that is a lot to take in and it still might not be clear as day (we had to go over the rights quite a few times, so we fully understood them), but we are hoping this might have helped you a bit. If you do need more detail on any of these (we have shortened them down quite a substantial amount), the ICO website has everything you need to know.
You will need to impose measures that minimise the risk of breaches and uphold the protection of personal data. GDPR requires personal data to be processed in a way that ensures its security, including: protection against unauthorised and unlawful processing, and against accidental loss, destruction or damage.
There is a lot of information to get your head around when it comes to GDPR, but it will be worth it. All the information and guidance you need available on the ICO website (link below). Rest assured, our experienced Compliance Department has been working hard to implement new procedures to ensure that we are compliant before the 25th May deadline, which means your data and your client data is in the safest and most compliant of hands.