What is GDPR?
GDPR stands for General Data Protection Regulation, and it is a regulation in EU on data protection and privacy for all individual persons within the European Union.
The regulation focuses largely on the exportation of personal data outside of the EU, and it tries to place control back into the hands of citizens and residents regarding their personal information to simplify the regulatory environment for internal business by unifying the regulation within the EU. It will govern the storage and processing of data rather than its collection. It will also contain some important consumer rights, the most important of these are; the right to be informed, the right to access, the right to correct errors, the right to erase data, the right to restrict processing, and the right to take it elsewhere.
The GDPR is a replacement for the 1995 Data Protection Directive and will be put into place officially from 25th May 2018, although it was approved on 14th April 2016. The GDPR will be fully effective for all governments belonging to the EU and does not require government approval for it to take action. It will be handled by the Information Commissioner’s Office.
The UK government has also stated that despite its decision to leave the European Union the regulation will stay take full effect. However, it is going to be modified slightly and will be implemented by the data protection bill. It will potentially include some excepts for journalism which is similar to the ones in the previous DPA so it’s important to check to see whether these will apply to you.
Who will GDPR apply to?
GDPR will be enforced for companies and organisations with a particular focus on those will over 250 employees. Homes and household users are except.
N.B. If you are a freelancer, you store and process data potentially without being aware that you are even doing it. This processing can take place in many forms even in something as simple as entering a name into an address book and looking it up later. It is highly recommended to review the information that you are storing and ensuring that you have put into place appropriate system to protect this information.
This protection can take various forms:
- Data Backups
- Malware Protection
- VPN when using a public hotspot
Personal data includes names, addresses, phone numbers and IP addresses as well as “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Interestingly this includes biometric factors we do not often consider such as a face, fingerprint, iris recognition and again genetic information. It is interesting to ponder that we may have personal data on a person that has the ability to identify them however we may not know their name.
Preparing for the General Data Protection Regulation
- Awareness: you should check to see whether the managers and decision makers within your organisation are aware of this changing regulation. If people are educated ahead of time the transition should be smooth without any negative implication.
- The information you hold: you should record what personal data you have, where it came from and who you share it with. There is a chance you may need to organise for an information audit.
- Privacy: It is recommended to review the state of your privacy notices, and to put into place a plan to change any settings or circumstances you are not happy with ahead of time.
- Individual Rights: check that the procedures you are interacting with cover all the rights belonging to individuals, including how you would delete personal information or provide information electronically
- Subject access requests: update your procedures and plan how you will handle requests within the new timescales
- The lawful basis for processing personal data: you should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
- Children: pay some attention as to whether or not you need to explain and certify the ages of people who are processing data
- Data Breaches: make sure you are secured against any potential data breaches
- Data Protection by Design and Data Protection Impact Assessments = Try to educate yourself on the code of practice on Privacy Impact Assessments as well as the guidance from Article 29 Working Party
- Data Protection Officers: assign a person who can help assess and educate everyone on the meaning of this new regulation and how it will interact with their daily lives
- International: If you organisation functions within more than one EU member state, you should determine your lead data protection supervisory authority.
What happens if you do not comply?
If you do not comply there will be the power for regulators to fine businesses. The quantities of these fines will be decided by the ICO. The aim of the GDPR is not to be catching businesses, and whilst this will happen, it is about putting the consumer and citizen first.