Guide to the General Data Protection Regulation (GDPR)
Europe’s data protection rules are going through some drastic changes. To keep up with the large amounts of data being created, the rules of how this data can be used in any manner.
Europe’s data protection rules are going through some drastic changes. To keep up with the large amounts of data being created, the rules of how this data can be used in any manner. These rules are due to be enforced from May 25, 2018. These rules have been mutually agreed on by the European General Data Protection Regulation(GDPR).
When GDPR starts to be enforced by data protection authorities it will alter how businesses and public sector organisations can handle the information of their customers. GDPR also boosts the rights of individuals and gives them more control over their information.
What is GDPR?
The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon.
The regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens.
While GDPR applies across Europe, there is some flexibility for countries to change small parts of the rules to fit their preferences. The government says its bill outlines some exemptions from GDPR. It claims these include added protections for journalists, scientific and historical researchers, and anti-doping agencies.
How am I impacted, as a company?
Most companies will be affected if you have traffic from European countries you will have to comply with the new GDPR. Both personal data and sensitive personal data are covered by GDPR.
Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
A basic overview of changes
In the full text of GDPR, many articles are setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of the people they collect information about.
Accountability and compliance
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This will include having data protection policies and having relevant documentation on how the data is processed. For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
There is a requirement for a business to obtain consent to process data in some situations. When an organisation is relying on consent to use a person’s information they have to explain that consent is being given and there has to be a positive opt-in.
Access to Your Data
Under the GDPR this being able to charge for access to personal information is being scrapped and it is going to be made free of charge. When someone asks a business for their data, they must stump up the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information.
How to prepare your business for GDPR
To help prepare for the start of GDPR, the ICO has created a 12-step guide. The guide, which is available here, includes steps such as making senior business leaders aware of the regulation, determining which info is held, updating procedures around subject access requests, and what should happen in the event of a data breach.