GDPR – What’s it all about?
- On 26th October 2017
Just in case you weren’t already aware, GDPR (or the General Data Protection Regulation) is the hot topic of the moment as many organisations begin to prepare for the changes, which will be coming into force in May next year. The GDPR looks to provide better protection to data subjects (you and I) in a fast-paced digital world where data is king.
The new regulation will supersede the current Data Protection Act and builds on the existing legislation. The way in which organisations use data has changed so much over recent years, and the new approach will modernise the way data is handled and bring this into the 21st Century.
Here are 10 key facts about the GDPR which you may need to consider before beginning to implement any changes.
- The new regulation was introduced in 2016, however organisations have until 25th May 2018 to be compliant
- GDPR will look to change the way organisations collect, store, process and protect personal information for their clients, employees and customers
- Leaving the EU will have no impact on whether or not the GDPR regulations come into force, special considerations need to be made for companies trading internationally
- The GDPR applies to all companies across the globe who process personal data of EU citizens
- DPA consent isn’t enough. As stated in article 4 of the GDPR “…any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. This means customers will need to opt into an agreement voluntarily with an organisation, which has been clearly explained and states how data will be handled, there must not be an automatic enrolment where customers have to opt out
- Accountability is key, organisations will need to understand any risks they create for data subjects and mitigate those risks. There will need to be a better approach to governance and compliance with robust processes in place
- Organisations will need to have a dedicated Data Protection Officer if they fall into the following categories: a public authority, carry out large scale tracking or carry out large scale processing of special categories of data or data relating to criminal convictions and offences
- Mandatory privacy impact assessments (PIAs) will be introduced, meaning data controllers will need to conduct PIAs where the risk of privacy breaches is high to minimise any risks to data subjects
- Data breaches will need to be notified to the local data protection authority within 72 hours of it being discovered, organisations will therefore need to ensure their technology and employees are able to detect these breaches effectively
- The way in which data can be held by organisations is changing. GDPR means companies can only keep data for as long as it remains absolutely necessary and can only use the data for the original purpose it was collected. If companies wish to use it for a different purpose they will need to obtain permission from the data subject. Data subjects also have the right to be forgotten, which means they can ask to have all of their data deleted, which must be adhered to.