Personal data is defined as
‘any information relating to a person who can be identified directly or indirectly ‘. Personal data has been a topic of discussion over the last few years and no matter what industry you work in; you will almost certainly have come across how data is fiercely changing the face of the world, at a rapid rate!
Lots of different companies and organisations collect personal data from the moment you enter your email address or credit card details, automatically giving away unique data as it is specific to you. Do you ever get targeted ads popping up on your desktop or mobile? This is aggregated data, data about you that is sold onto other third party companies trying to entice you into their website and most likely directing you to sites you will have never heard of.
After a long four years of debating, during April 2016 the General Data Protection Regulation (GDPR) was ratified by the European Union and comes into place on the 25
th May 2018.GDPR will apply to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU, that offer goods or services by individuals in the EU. The laws main aim is to give citizens a more controlled approach over their personal data and to have a piece of legislation that will create a uniformity of rules. In order to achieve this there is a two-year transition period in order for companies to fully reach compliance.
What is the difference between the Data Protection Act & GDPR?
GPDR will replace what was formerly known as the Data Protection Act, but GDPR will not be an identical replacement.
Data Protection Act |
GDPR |
Only applies to the UK |
Applies to the whole of the EU and crucially, also to any global company which holds data on EU citizens
|
Enforced by the Information Commissioners office |
Compliance will be monitored by the information commissioners office (ICO) |
Non compliance can result in fines of up to £500,000 or 1% of annual turnover |
The potential penalties for non-compliance are much more sever with fines of up to 4% of global annual turnover or €20 million greater of the businesses annual global turnover |
This legislation does not require a data protection officer |
It is mandatory for a data protection officer to be present if you process 'large' amounts of data on a day to day basis, or process highly sensitive data. |
Businesses are under no obligation to report data breaches though they are encouraged to |
Any data breach must be reported to the regulator within 72 hours of the incident being discovered |
There is no requirement for an organisation to remove all data they hold on an individual |
An individual will have the ‘right to erasure’ which includes all data including web records with all information being permanently deleted |
Protection Impact Assessments (PIA) are not a legal requirement under DPA |
PIAs will be mandatory whenever a new system is going to be designed and implemented into an organisation. |
Data collection does not necessarily require an opt-in under the current Data Protection Act |
The need for consent underpins GDPR. Individuals must opt in whenever data is collected and there must be clear privacy notices. |
What is obvious from the above comparison is that GDPR legislation is much firmer and mandatory. There is a substantial increase in fines for organisations that do not comply with the new regulation. On the consumer side, individuals will have more rights not only with the right to erasure but also in dictating how businesses can use their data, especially if the keeping of the data is no longer required.
Will GDPR affect me?
GDPR will apply to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU, which offer goods or services by individuals in the EU. Those with the occupation titles of ‘data controllers’ and ‘data processors’ will need to abide by GDPR and need to be up to date with the legislation.
6 steps to ensure you're being compliant
Be aware
It is important to ensure that key individuals and decision makers within your organisation are fully aware that the law is changing to GDPR and consideration as to the impact this will have on the organisation is discussed.
Information held
What personal data do you currently hold? Where did it come from? Who do you share this with? This should all now be documented by each organisation in advance of the GDPR enforcement date. An information audit may need to be organised to be able to document this effectively.
Communicating privacy
Review your current privacy notices and ensure any changes that are required as a result of GDPR are planned in advance of the enforcement date.
Individual rights
Current procedures should be checked to ensure they cover all the rights that individuals have, including how you would delete personal data or provide data to individuals electronically and in a commonly used format.
Subject access requests
Procedures should be updated explaining how you plan to handle requests within the new timescales, GDPR demands and provides any additional information.
Legal basis for processing
Review the various types of data processing you currently carry out, identify the legal basis for carrying it out and document this accordingly.
Consent
How are you currently seeking, obtaining and recording consent from your customers? You should review this and consider if any changes need to be made as a result of GDPR.
Children
Start thinking about putting new systems in place to verify the age of individuals and to gather parental or guardian consent for data processing activities.
If you would like further information on any item within this article please contact us on marketingsouth@moorestephens.com.