In the first of a series of blogs about changes to data protection laws, the IPG’s business support helpline Croner explains some of the basics of GDPR
What is GDPR?
GDPR stands for General Data Protection Regulation. It replaces the UK’s Data Protection Act, and brings in a strict set of new rules concerning privacy and data security, while imposing penalties on businesses that violate them. It will give people much more control of their personal data and how it is used.
Why is the legislation changing?
Because digital technology has moved forward far more rapidly than the law. GDPR is considered necessary to help the law catch up with the fast-evolving digital environment.
When do the changes come into effect?
On 25 May 2018, across the European Union.
What rights does GDPR grant?
GDPR gives people about whom your business holds data new rights, including these eight.
1 The right of access. Subjects will be entitled to access their data and find out how you are using it.
2 The right to rectification. People can ask you to update any inaccurate or incomplete data.
3 The right to restrict processing. Businesses may be allowed to store but not process personal data.
4 The right to data portability. This allows people to get some of their data from you for their personal use.
5 The right to erasure. You can be asked to delete or remove people’s data; this is commonly called ‘the right to be forgotten’.
6 The right to object. People can opt out of you profiling them based on their data, direct marketing or research.
7 The right to be informed. This means your privacy notice must state how you process information fairly.
8 Rights in relation to automated decision making and profiling. This gives people protection against mistakes or decisions where humans are not involved in data processing.
What do I need to do?
Changes will vary by business, but here are seven things to consider.
1 Create a register of the personal information you hold, where it came from, and who you share it with.
2 Put in place a process for handling requests for any data you hold. It should include details of how quickly you will respond, how you will provide it and how you will assure requesters that they own it. You should ensure you can honour the rights of anyone who asks for their data, and be able to prove that you have removed data if requested to do so.
3 Get consent to store, manage, maintain and use personal data or consider what other rights you may have to process personal data.
4 Make sure people in your business know the law is changing, and nominate a responsible person to be your Data Protection Officer or representative, as applicable.
5 Review the current privacy notices for the data you store and prepare to change them for GDPR.
6 Decide if you need a system for identifying the age of individuals and whether you need parent or guardian consent.
7 Have an emergency plan in case you lose data or someone steals it.
Croner has more detailed advice about GDPR in this white paper. IPG members have free access to the Croner Business Support Helpline, which provides advice on issues including law, HR, tax and much more. For details of how to access the Helpline, click here.