Effective from May 2018, the GDPR is a new framework for data protection that replaces current UK and EU regulations. It has two main purposes: to give people control over their personal data and to ensure consistency in the way personal data is held and processed throughout the EU. Forget the fact that we are leaving, the new rules will be written into UK law.
Non-compliance is not an option. There has been much publicity about The Information Commissioners Office (ICO) powers to levy hefty fines equal to four percent of global turnover. Compliance is all about respecting the rights of individuals, data subjects in the jargon, to control how information that identifies them is held and processed.
Individual rights include:
- Rights to be informed and have access to records that you hold.
- The right to object to the information held and have it corrected or deleted.
- The right to restrict how the information held is used and to opt-out of profiling and automated decision making.
- The right to portability so that records can be transferred to another party at the data subject’s request.
Portability is a new right, but the others are all in-line with current regulations. This looks like a lot of work and so the Act makes it mandatory that organisations of 250 people or more appoint a Data Protection Officer (DPA) to police compliance and deal with access requests, consent and so on. Appointment of a DPA is not mandatory for firms of less than 250 people, nevertheless it would be foolhardy to think that the ICO is giving a licence to flout the rules data protection principles.
A good example of where firms could slip up is consent to hold personal data. Consent must be ‘clear and unambiguous’. This means a fully informed opt-in, not linked to other terms or conditions and certainly not something that requires people to un-tick a pre-ticked box.
It is important to have a legitimate reason for holding personal information. Employee records, details of individuals or companies that you regularly do business with are good examples, but once the reason for holding such data ceases these records should be deleted.
Sharing personal data with third parties without specific consent will be an offence as is profiling by adding to the record personal data from other sources. Companies that do share information with partners and other third parties must also take responsibility for the integrity and security of that information. This means every action that you take, such as updates, consent changes or deletions must cascade through the complete chain of data users.
There are very strict rules about data breaches. Such breaches need to be notified to the ICO and the affected individuals within 72 hours.
Finally, it is worth noting that GDPR covers all records, computer based and manual, so look at the computer files, filing cabinets, laptops and mobile phones and see what you have and whether you are holding it legitimately. If not delete, destroy or seek new consent.
This will be a huge change and many of the finer points will only be ironed out as GDPR is implemented and case law is established. For now I would urge you to read the many articles on the internet to understand the principles and the action to take.
If you require public relations and content creation services contact us now.