GDPR: General Data Protection Regulation
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it’s shared.
The GDPR is due to come into force on 25 May – and even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents’ data, effectively replacing the Data Protection Act 1998.
Why is the law changing?
The current legislation which covers data protection came into effect in 1998. Since that time there have been many advances in technology and an overall increase in the processing of personal data for a wider range of organisations. This new legislation is to take into consideration those changes to protect an individual’s data.
What data does GDPR relate to?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
From 25 May 2018 it will include the following:
- an individual’s name;
- an individual’s identification number e.g. a payroll worker number, a CV reference number, a named email address or telephone number;
- an individual’s location data;
- an individual’s online identifier (i.e. IP address or cookie identifier), and;
- factors relating to the psychological, economic, cultural, social or physical identity of an individual.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
What are the key changes?
- GDPR legislation requires that businesses who process ‘personal data’ take a privacy by design and default approach to protecting the data it processes, to ensure that:
- data protection is integral to all data processing activity;
- consent is obtained to hold data;
- data is held for reasonable time periods, and;
- data is pseudonymised, anonymised and cyber security is maintained.
It also introduces new rights for individuals including how they are informed their data is being processed, how their consent is obtained, how data is processed and how consent can be withdrawn.
What we are doing to prepare for the change?
In line with GDPR requirements we have:
- Documented the structured data we hold in an Information Asset Register;
- Appointed an internal Data Protection Officer;
- Completed a review of current personal data processes and procedures;
- Commenced GDPR training for all staff to support compliance;
- Reviewed contractual agreements in line with the new legislation;
- Reviewed data security on how we share personal data with third parties, and;
- Commenced definition of our ongoing compliance governance framework.
If you have any questions, please do not hesitate to contact our Data Protection Officer: firstname.lastname@example.org