Are you GDPR-ready? Here’s what you need to know
“The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union” *.
The first thing to say is this: the British government has confirmed that Brexit will not affect GDPR. The GDPR affects data processing by organisations within the EU. It also applies to companies outside the EU which provide goods or services to people in the EU. The one thing it does not cover is data processing for national security purposes and purely for personal / household reasons.
So GDPR is on the way, and there’s no avoiding it. The new regulations have been on the cards for quite a while, and now things are beginning to heat up. There’s an enormous amount of depth to it. We can help ensure your organisation complies with the IT elements of the new data protection rules which will be enforced from 25th May 2018.
Providing essential help with GDPR IT compliance
Ultimately, responsibility for compliance lies with each company and advice should be sought from professionals, including lawyers and IT specialists. Although we’re not GDPR compliance consultants we can offer expert advice on how to tackle the IT side of the GDPR process. GDPR will touch so many aspects of your business – in particular the IT and systems side of things – and we’re here to guide our current and future clients through the process; drawing on our own and our clients’ experiences.
What is GDPR?
Like the original Data Protection Act (DPA), the GDPR refers to personal data. For most organisations that hold HR records, customer databases and so on, the GDPR’s wider definition will not make much difference. It is safe to say that any information that fell under the DPA also falls under GDPR. However, to catch up with the digital landscape most of us now operate within, the definition of ‘data’ has changed: now, any information used to identify a person online, for example, an IP address, counts as personal data.
The new laws apply to automated personal data as well as manual filing and include chronologically ordered manual records that contain personal data. Personal data that has been key-coded also falls under the new rules, but that can depend on how easy it is to link a pseudonym to a person.
The GDPR principles are similar to the DPA with the biggest difference being around accountability. You will have to show how you comply with the principles, an example being documenting all the decisions you take about a particular data processing activity. As Article 5 (2) of the new rules says, “the controller shall be responsible for, and be able to demonstrate, compliance with the principles” **.
Like the DPA, the GDPR affects both data controllers and data processors, and the definitions remain much the same for both. A controller decides how and why personal data is processed, the processor does the work.
If you are a data processor, the new rules insist you abide by some precise legal obligations, for example, it requires you to keep records of all your business’ personal data and processing. If that is you, your role comes with a lot more legal liability under the GDPR than it did under the DPA. As a controller, the GDPR puts, even more, obligations on you to make sure your processors comply.
People have rights under the GDPR: the right to be informed, rights of access, rectification, erasure, restricted processing, data portability, the right to object, and various rights around automated decision making and data profiling. Your IT systems need to make all this possible.
The rules about data usage
We couldn’t express it more clearly than the Information Commissioner’s Office**. This is what they say about the way data must be processed under the GDPR. Personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How we can help you with GDPR
As we mentioned at the start, you are responsible for your own business’ compliance. However, we can guide you on your journey to IT compliance, making sure your systems are in line with the new requirements. If you need an expert IT partner to see you through the process before the new rules kick in next May, give us a call on 01235 426700 or email firstname.lastname@example.org to discuss the details.