A Question a lot of people are asking is what is GDPR? We have created a blog post to help give an outline of what GDPR means for your organisation.
GDPR is The General Data Protection Regulation and is a new set of data protection regulations being introduced across the EU. The new regulations come into force starting 25th May 2018 following a 2 year transition period. The aim is to standardise data protection legislation across the EU, in the UK GDPR will replace the UK Data Protection Act (DPA) (1998). The UK Government has already confirmed that Brexit will not affect the introduction of the new GDPR legislation.
What this means is greater data privacy for EU citizens and more control over who can access their personal data. Allowing individuals to hold organisations to account who misuse or collect their personal data without permission. This even applies to companies outside of the EU, they must comply with GDPR if they want to legally provide services to EU citizens.
What makes GDPR different from existing data protection regulations are the significantly increased fines. There will be provisions for fines of up to £17 Million or 4% of annual global turnover, whichever is larger. As a comparison the UK DPA 1998 allows for fines up to £500,000 so its no wonder so many organisations are taking GDPR so serious.
What Is GDPR – Is It Relevant To My Organisation?
Every organisation is going to have some amount of personal data to manage. GDPR isn’t just about data privacy for individual customers. It also applies to personal data of employees, contractors, potential candidates, etc. This means HR files, leaver’s files, job applications, payroll, etc are all going to need to be managed in accordance with GDPR.
GDPR defines personal data as any information relating to an identifiable person who can directly or indirectly be identified with reference to an identifier. This provides for a wide range of possible Identifiers.
Name, address, age, gender, contact details are all identifiers as well as many other pieces of information that might not be immediately obvious such as:
- Employee information
- Customer service & feedback data
- IP Addresses
- Location & CCTV data
- Biometric data
- Financial information
GDPR also refers to special categories of personal data which have even more strict rules relating to collection and processing. These special categories include things like health / medical information, race / ethnic origin and sexual orientation.
What Is GDPR – What Are The Requirements?
Under GDPR organisation must be able to demonstrate they comply with a number of principles. Some of the main principles are:
- Companies must process data relating to an individual lawfully and in a fair and transparent manner.
- The data must be collected and processed for a specified, explicit and legitimate purpose.
- The data must be adequate, relevant and limited to what is needed for the purpose the data is being processed.
- Companies must ensure the data is accurate and kept up to date. Every reasonable step must be taken to ensure inaccurate data is corrected or erased without delay.
- Data should only be kept as long as required for the purpose the data was processed.
- Any data should be processed in a way to ensure security, integrity and confidentiality of personal data is maintained.
What Is GDPR – How To Comply?
How GDPR compliance is achieved will vary from company to company but some key things every organisation should look to do are:
- Keep up-to-date documentation of processing activities.
- Implement the principles of data protection by design and by default.
- Implement appropriate policies and procedures to demonstrate compliance.
- Conduct data audits of information the organisation.
- Consider digitising paper archives to improve the efficiency of data retrieval.