General Data Protection Regulations (GDPR) changes are coming
General Data Protection Regulation (GDPR) is set to impact companies of all shapes and sizes. Come May 25th 2018, new regulation changes will change the way that personal data is collected and stored across UK.
That’s why this month we’ve created a short guide of our understanding of GDPR. It outlines some of the key information, including who is responsible for compliance, and some additional useful links.
What is GDPR?
General Data Protection Regulations (GDPR) are the new laws that govern the collection and use of personal data. It will supersede the 1998 Data Protection Act and will enhance the previous regulations.
GDPR will set out the standards for data collection, giving power back to the owners of personal data when it comes to retrieving their information, and should they wish, its removal.
When will GDPR come into effect?
May 25th, 2018. A short answer, but it’s an important date.
What are the GDPR requirements?
There are several key ways that organisations need to prepare for the introduction of GDPR, and these will impact the way you operate in the future too:
Appoint a Data Protection Officer
It’s recommended that you assign a Data Protection Officer before GDPR comes into force. They will be responsible for data protection compliance, so this role needs to be assessed to see where it fits into your organisational structure.
However, in some cases, you must assign a DPO. Companies that have to do this include:
- Public authorities
- Organisations that carry out regular and systematic monitoring of individuals on a large scale
- Organisations that carry out large-scale processing of special categories of data, including health records, or criminal conviction information
As it should be with any business, you have a duty of care to your customers, employees and others associated with your business. This means that you need to be clear about how their data is collected, and what it is being used for. If asked, this information needs to be given in a clear, concise manner.
You might think that just being compliant is enough. Unfortunately, you also need to be accountable. What does this mean? It means that you have to show that you are following the new regulations.
This includes maintaining an up-to-date register of all your data processing activities, whether it’s through newsletters, job boards or targeted marketing campaigns.
Should a data breach happen, it also involves providing a full report on what actually happened, and the preventative measures you already had in place before the breach occurred.
Deletion and portability
You need to be able to delete the data surrounding an individual once it’s no longer needed. At the same time as this, you need to be able to transfer the data if you are requested to do so. Both these come under the individual’s rights when GDPR comes into force.
Understand an individual’s right
In this case, the individual is the person who the data is about. For example, if you sign up for a newsletter and include your personal information in the sign-up form, that data is about you. GDPR will include the following rights for individuals:
- The right to be informed
- The right of access to information
- The right to rectification if the information is wrong
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be the subject of automated decision-making, including profiling
What about Brexit?
The rules still apply, despite the current economic climate. The government has stated that it will implement an equivalent Data Protection Bill. This will ensure that GDPR data privacy standards are maintained.
Who’s responsible for GDPR compliance?
If you’ve worked with a web design agency in the past (or even if you’re currently working with one) you may think that it’s down to them to ensure you are compliant.
Unfortunately, that’s wrong.
Since your website falls under the ownership of YOUR business, you will be defined as the controller, no matter what method your website takes in collecting data (Google Analytics, Cookies etc).
This means if there is a GDPR breach, then you will be responsible, not the agency. Basically, you cannot transfer responsibility.
Useful links for further reading
To help you understand GDPR in more detail, we’ve listed several sources that should help shed some light on what comes next, what actions you need to take and much more.
- The European GDPR website
- The Information Commissioner’s Office (ICO) overall guide
- ICO: 12 steps to take PDF guide
- IT Governance
- Gov.uk Statement of Intent
Whilst One2create are unable to give actual legal advice on GDPR compliance (we’re not lawyers), we can help make suggestions, based on our own understanding.
However, if you were still unsure about what procedures you need to set in place, we recommend seeking professional, legal advice from an expert before GDPR comes into force.