ARTICLE

Upcoming General Data Protection Regulation (GDPR) changes

What is GDPR?

The General Data Protection Regulation (GDPR) act has been put in place April 2016 with the intention of it coming into full legal force by May 2018 to replace the current Data Protection act of 1995.

The idea of GDPR, much like the Data Protection act of 1995, is to strengthen data protection between a Processor and Controller. A Controller is a term we use to describe the organisation who determines the purposes and means of processing personal data. A Processor refers to one or more organisations who are responsible for processing personal data on behalf of a controller.

GDPR’s objective is to replace all of the EU’s various data protection laws with one single regulatory framework. GDPR is not designed to replace the EU’s existing data protection rules, but instead introduces new requirements to support them.

GDPR applies to all organisations that operate within the EU and any organisation that offer services to those within the EU. It affects any personal data (sensitive or not) collected by the Processor, this could be as simple as a name, address or location coordinates, to more sensitive data such as biometric or genetic. On the issue of Brexit: The UK government has confirmed that all UK organisations must also comply with GDPR, regardless of Brexit.

The Processor, as the keeper of the data has a legal liability if there is ever a breach of data.

What does this mean for the customer?

With GDPR the user has right of access to their data at any point. This means that the user has the right to view any data stored about them and learn about what procedures are in place for processing their data. They are also, upon request, allowed to know with whom any data of theirs is shared with and how the data was originally collected.

What does this mean for the organisation?

The GDPR aims to force organisations into keeping better track of the data they gather and to enforce a higher level of overall security measures in place to protect the data whilst also showing they have a plan should a breach of data ever occur.

Organisations will need to take steps now to ensure that they are GDPR compliant. Some larger organisations may find there are significant implications to become compliant, such as software security, data control processes and the cost of review and implementation.

What are the key changes introduced by GDPR?

The most notable changes affecting organisations include:

  1. GDPR will bring all EU countries under the same data protection framework, rather than each country having their own, potentially different regulations.
  2. Individuals must freely give their consent to the processing their personal data. This means that users must be clearly notified about the collection of their data, and the reasons why the Controller is doing so.
  3. Consent must now be obtained from a parent or guardian if the user is below the age of 16 (or 13 in some member states).
  4. New data access rights for individuals, giving them greater control over the way their information is handled. This includes the right to request all their personal data is erased, and the right to transfer personal data from one Controller to another.
  5. Software should be designed to protect personal data as standard.
  6. Processors may need to appoint a Data Protection Officer under certain circumstances.
  7. Assessments may need to be performed to determine if any personal data being processed is ‘high risk’, and to determine the impact of a data breach.
  8. All organisations transferring personal data to a third party must ensure that said third party is GDPR compliant. Organisations based within the EU should already be compliant with the regulations, however, non-EU organisations will need to confirm that they have the required safeguards in place.

Check the ico.org.uk link at the bottom of this article for full details.

What are the main principals of GDPR?

There are 7 points indicated in the GDPR documentation that organisations should abide to, these are:

  1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  7. The Controller shall be responsible for, and be able to demonstrate, compliance with the above principals.

This article is not updated, for a more in-depth overview of GDPR please see the following living documentation at:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr