In May 2018 the new General Data Protection Regulation (GDPR) came into force, changing the way data about people is collected, stored and used across the EU. It turned out to be one of the most wide-ranging pieces of legislation of recent times, brought in to standardise data protection law across the single market and give people better control over how their personal information is used by players in the digital economy.
Here's a summary of GDPR revealing everything you need to know in plain, simple terms.
Who needs to take note of the GDPR?
In a GDPR context the word 'processing' actually covers almost every type of data usage including data collection, storage, retrieval, alteration, removal, and destruction. If your business processes personal data and either operates in the EU or sells there, you'll be affected by the GDPR.
Data Controllers decide the purpose and manner in which data is processed. Data Processors are usually third parties who process data on behalf of a Controller. The GDPR is equally important for data controllers and data processors.
What happens after Brexit?
The GDPR and the Data Protection Act 2018 are designed to be considered together. It's important to know that the Data Protection Bill, which ensures we'll remain a ‘world-class regime protecting personal data’, will continue to enforce GDPR standards after Brexit.
Can you define 'personal data'?
Article 4 of the GDPR says personal data is ‘any information relating to an identified or identifiable natural person’. For most businesses it means you have to put in place 'appropriate measures' to protect the information you collect and keep about employees, customers and partners.
The GDPR's definition of personal data is wider than the Data Protection Act (1998), including as it does information that can indirectly identify individuals, for example ID numbers, location data and online identifiers like cookies and IP addresses.
Examples of personal data
Under the GDPR rules personal data includes Human Resources records and customer contact details, health records including any biometrics, your CV, images, and recorded conversations.
What are the six key principles of the GDPR?
Here are the main principles all organisations need to comply with around the collection, processing and retaining of personal data.
Personal data must be:
Processed lawfully, fairly and in a transparent way
Only collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what's necessary
Accurate and up to date
Only kept for as long as necessary
Processed in a way that ensures security
How is GDPR different from the Data Protection Act 1998?
An expanded definition of 'personal information'
Increased sanctions and bigger fines
Some types of organisation need to nominate a Data Protection Officer
The consent rules have been tightened up around the use of personal information
There's a new Right to be Forgotten, where people can get information erased from the records
Privacy by design means data protection is considered at every stage in a product or service's development
Do you need support with GDPR?
As a start-up or new business, have you taken the GDPR into account at every appropriate stage? As an existing business, are you 100% sure you're GDPR compliant, safe from fines? Either way we'll be glad to help.