On May 25th, 2018, the EU will see the biggest update in its data protection laws over the last 20 years as we welcome the enforcement of the General Data Protection Regulation (GDPR). With GDPR comes many new regulations to the way in which businesses can gather, store and process data; which has naturally become a cause for concern for many businesses. Yet, considering the vast advancement in technology and data over the past two decades and how businesses use of both of these, it is surprising that we have even waited this long.
Since the most recent update to the UK’s data regulation in 1998, we have seen the birth of technological and data advances such as social media and cloud storage to name but a few. With businesses gathering vast amounts of personal data on consumers from behavioural analytics to personal characteristics, the subject of personal privacy and protection has become a major concern.
Many companies such as Google and Facebook have even developed extensive business models by trading access to their platforms with the promise that we then share our data with them. While this offers tremendous advancements in the goods and services businesses deliver, it also gives individuals little control over what their data is used for, how it is stored and by consequence, could leave them at threat to theft, fraud and other missuses. However, by strengthening measures, the EU strives to improve trust and reduce the overall threat to individuals.
The GDPR aims to harmonise data privacy laws across Europe, creating an equal playing field and more importantly making it simpler for businesses to understand and manage their own compliance.
GDPR widens the definition of personal data to encompass anything that can be used to directly or indirectly identify a person. This covers a broad spectrum of data from names, photos, email addresses, bank details and posts on social networking sites to medical information or IP addresses as an example. The new regulation seeks to protect this data, whether its filing is automatic or manual, paper or electronic.
The GDPR devolves accountability to anyone who is involved in the gathering, storing and using personal data. Unlike under the Data Protection Act, responsibility for compliance is not solely tied to the Data Controller.
Under GDPR both “controllers” and “processors” are accountable for making sure that the principles of GDPR are followed.
A data controller is a person or group of persons that determine what and for what purpose personal data is gathered and processed. They will control the manner in which personal data is processed, meaning they have ownership over the “why” and “how” of all data processing.
On the other hand, it is the data processors who physically gather and “process” the data on behalf of the data controller. GDPR extends the liability of data protection to all employees that come into contact with personal data, be they data controllers or data processors.
Data Controllers must be able to demonstrate the organisations compliance with the GDPR. However, it is the accountability of both processors and controllers to ensure the correct procedures are followed.
Organisations will have to be open and transparent about why they are collecting personal data and what they intend to do with it. This means explaining to the data subject what they intend to use their data for upfront and gaining consent.
Personal data can only be collected for specified, explicit and legitimate purposes, and not processed in any further capacity that doesn’t meet these purposes. Consequently, data legitimately gathered for one purpose cannot then be used for another objective unless they gain consent from the data subject or have a legitimate purpose to do so.
Data Subjects have the right to access their personal data within 30 days of a request. Organisations have a responsibility to ensure inaccurate data is updated or erased; giving data subjects the right to verify and amend personal information that is held on them.
Data Subjects also hold the right to request that his/her personal data is removed, provided that there is no legitimate grounds for keeping it.
GDPR calls that we evaluate the amount and length of time for which we hold personal data. In circumstances that pose high risk, a Privacy Impact Assessment may be required. It also states that if personal data is gathered on an individual, the organisation should not collect any data in excess of what is necessary for the purpose intended.
Fines of up to 4% of annual turnover or 20 million euros, whichever is higher, could be imposed for breaches of GDPR.
In the event of a data breach which could impact the individual or cause harm, the data controller is required to notify the supervisory authority in no later than 72 hours after the data breach was detected.
Login to your Account to set your email preferences and stop receiving communications from TrueQuote Limited. You can also excerise your right to be forgotten.