You’ve probably heard about the EU’s General Data Protection Regulation (GDPR). It’s an important piece of legislation that comes into effect from the 25th May so we thought we’d cover the key points.
Firstly, it’s important to mention that the UK has always looked to maintain high standards through the Data Protection Act so the is good news is GDPR shouldn’t be a massive shock the system. However, there are some key changes that businesses and individuals should be made aware of.
Although there will be many pages of text, the simple principle of GDPR is designed to put personal data back in the hands of the individuals who own it and ensure organisations are transparent about how they use it.
Companies that use personal data will need to have practices in place that are GDPR compliant. They should only collect personal data that they need and only store it for as long as they need it.
From a business perspective, all data needs to be safe and secure. This will mean that any data should be kept securely, encrypted and safe from prying eyes.
Within businesses, there should be somebody who is ultimately responsible for ensuring staff are properly trained and the regulations are adhered to.
From a client perspective, there are certain rights that fall under 3 main headings –
1. The right to be informed
2. The right of access
3. The right to rectification
The right to be informed means that businesses will need to give people information about the data processing they carry out. This will usually be provided in a Privacy Notice or Privacy Statement.
The information needs to be concise, transparent and easily accessible. It also needs to be written in clear and plain language and free of charge (one of the key changes).
The right of access means that data subjects must receive confirmation that their data is being processed, access to their personal data and other supplementary information.
Any subject access requests must be dealt with within one month of receipt and generally speaking there will be no fee for this.
The right to rectification means that data subjects can have their personal data rectified if it is inaccurate or incomplete and any request to rectify must generally be dealt with within one month.
We have received a few enquiries asking whether GDPR is still happening given it’s EU origin and the simple answer is yes. Firstly, the implementation date is prior to Brexit and secondly, regardless of Brexit negotiations, the aim of GDPR will create a level playing field across the bloc and give EU Citizens the same rights over their personal information, wherever it is processed.
Contrary to what many believe, this legislation will potentially also apply outside the EU. For any organisations that are outside the EU but which offer goods or services to individuals within the EU or any organisations which ‘profile’ (monitor) individuals within the EU, these rules will also apply so the extent of the GDPR is far reaching.
Although this seems like more regulation, we believe that it’s important to understand the spirit and principle of GDPR, particularly as the protection of our personal data becomes even more important in an ever-changing world.