What is GDPR?
Data Protection is about trust and about handling the information of individuals in a way that is both fair and transparent. If you collect information about individuals except for your own personal, family or other household business you need to comply with the appropriate privacy laws.
In the UK data protection is governed by the Data Protection Act 2018 which sets down rules for how organisations handle data relating to individuals they deal. It mirrors the General Data Protection Regulation (“GDPR”) which came into force on 25th May 2018 and post-Brexit the DPA 2018 incorporates GDPR into UK law with some minimal amendments. If you do business in the UK or deal with individuals who live in either the EU or the UK then regardless of where you are based the GDPR and its requirements will apply to you and your work. Failure to comply with it could result in fines of up to 4% of your turnover or 20 Million Euros whichever is lower.
GDPR also applies across all sectors with sole traders and charities work to more or less the same guidelines as large organisations. It requires accountability and transparency on what you do with personal data including you requiring to demonstrate that you process it fairly and lawfully.
GDPR is only concerned about personal data. Personal data is information about living individuals which enable them to be identified and includes genetic and biometric data as well as location data.
There are strict requirements on how you process data, on providing data subjects with information on what data you hold, where its held, who you share it with, how long you hold it, where it came from and what security measures you have in place to protect it. There is also emphasis on security of data and a requirement to report breaches or data loss within 72 hours of the breach or loss incident occurring as well as increased rights for individuals including the right to be forgotten and the right to portability of their data when their relationship with you ends.
In addition to fairness and transparency as already mentioned emphasis overall is on the rights of the individual and on data minimisation moving away from profiling and big data. Organisations need to plan for compliance which will include reviewing and classifying the types of data they hold and auditing it; ensuring appropriate policies are in place as required by GDPR including having robust privacy statements or processing notices; updating procedures to include responding to data subject access requests, reporting breaches and ensure proper collection of consents; having a lawful basis for processing and training staff on GDPR and the new processes and procedures. GDPR also sets out conditions which apply when you transfer data outside of the UK or EU to ensure that individual data subjects’ rights are safeguarded and protected. Essentially it’s a mandatory set of good data management practices.
If you would like advice on any aspect of GDPR please contact us.