If you or your company processes, stores or transmits personal data belonging to EU residents, then you’ll need to comply with the GDPR Regulations.
As we’re all time-short, here’s a brief summary of the new Data Protection Regulations, along with a helpful Guide and Checklist from the Information Commissioner’s Office:-
- General Data Protection Regulation (GDPR): intends to strengthen/unify data protection for EU individuals, and aims to give control back to citizens over their personal data.
- If you’re a processor: the GDPR places specific legal obligations on you, e.g. you’re required to maintain records of personal data and processing activities.
- If you’re a controller: the GDPR places further obligations on you, to ensure your contracts with processors comply with the GDPR.
- Organisations with less than 250 employees: are not required to maintain a record of processing activities, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data”.
- Enforceable: 25 May 2018, and replaces the data protection directive 1995.
- Consent: must be explicit for data collected and the purposes data is used for.
- Pseudonymisation: the process that transforms personal data; an example of this is encryption.
- Right of Access: the right to access personal data, and about how this data is processed.
- Right to Erasure: the data subject can request erasure of personal data related to them on any number of grounds.
- Portability: a person can transfer their personal data from one electronic processing system to another, without being prevented from doing so.
- Design and by Default: data protection must be designed into the development of business processes for products and services, and privacy settings must be set at a high level by default.
- Record keeping: records of processing activities must be maintained that include purposes, categories, and time limits.
How this translates (source, ICO):-
- Organise an information audit, this will identify the data processed and how it flows into, through and out of your business, and then identify any risks.
- Let individuals know how you intend to process their personal data and your lawful reasons are for doing so, e.g. in your privacy notice and within any forms or letters you send to individuals.
- Keep consent under review, and renew it if anything changes: use a system to capture these reviews and record any changes.
- Until May 2018, you are still required to register with the ICO (unless an exemption applies). After May 2018 you need to pay the ICO a data protection fee.
- Respond to a request without delay and at least within one month of receipt, when individuals need personal data rectified if it is inaccurate or incomplete.
- A written schedule will remind you when to dispose of data securely, when individuals request to be forgotten.
- Individuals have a right to block or restrict the processing of personal data.
More Information from the Information Commissioner’s Office:
Claire Sheppard, CS Admin Support