The new European Union General Data Protection Regulation (GDPR) will come into effect on 25th May 2018.
Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. For companies that have more than 250 employees there are additional requirements such as having documentation as to why data is being stored and processed and descriptions of security measures.
GDPR cover’s all the EU member states. However, Non-EU Established Organisations that offer goods or services or engaging in monitoring within the EU will also need to comply.
Both personal data and sensitive personal data are covered by GDPR. Personal data, which broadly means a piece of information that can be used to identify a person, such as a name, address, IP address… and so forth. Sensitive personal data encompasses data in a ‘special category’ such as genetic data, or information about religious and political views amongst other examples.
Consent and Processing
Collection and processing of personal data must be for “specified, explicit and legitimate purposes”.
There is a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”.
Rights of individuals
Once the GDPR is in force individuals will enjoy additional powers to dictate what data may be stored and how it is processed. These rights will allow an individual to request:
- That the personal data you hold is to be provided in a common machine readable format or sent to a third party. This has to be provided free of charge within one month.
- That any inaccurate information held is corrected.
- That information held is erased in certain situations such as; it is no longer necessary for the purpose collected or if consent is withdrawn.
- That decisions about the individual are not made solely on the basis of automated processing.
- That you refrain from using data for certain purposes.
Notification and enforcement
In the UK GDPR will be enforced by The Information Commissioner’s Office.
Depending how your organisation uses data you may be required to formally designate a Data Protection Officer (DPO).
Organisations need to be able to demonstrate compliance, therefore even if you haven’t suffered a breach, your GDPR strategy should still be auditable.
The ICO must be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
The ICO has the power to apply significant penalties to be imposed on employers who breach the GDPR, including fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater.
If you’d like more advice about how ITD can assist you with you GDPR preparedness we are happy to arrange an informal, no-obligation meeting. As a leading IT service provider based in central London, we are offer a range of IT consultancy and support services to our clients. Why not give us a call on 020 7648 4840 to see how we can help you?