Creative business colleagues analyzing photographs at conference table in office
Five things you need to know about the General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that is in force from 25th May 2018. GDPR recognises that times have moved on since the Data Protection Act 1998. We live in a digital age where more and more data is processed in less and less transparent ways resulting in greater intrusion into our private lives.
GDPR is designed to give greater rights to individuals to control their own data and how it is used. The regulation puts the emphasis on organisations proving that they are doing no harm by processing personal data. It requires organisations to be more accountable for their data processing activities by not only requiring them to comply but demonstrate how they are doing so.
GDPR is not just about customer or client data – employees’ personal data and details of suppliers and other contacts are also covered.
Who does GDPR apply to?
The General Data Protection Regulation applies to those operating in the EU (including the UK) or selling products or services to EU citizens. It applies to all organisations from sole traders, microbusinesses and other small enterprises to large multinationals. If you collect, record, store, use or disclose data for your own purposes or that of another organisation, GDPR applies to you. There are some exemptions for small businesses on what records they must keep but these are unclear and untested – and don’t mean small businesses can ignore GDPR.
GDPR was transposed into UK law in 2017 ensuring that the regulation will remain part of UK law post Brexit. The new Data Protection Act 2018 will go live soon.
Recognising individual rights
First of all, the General Data Protection Regulation recognises the absolute rights of a person to own and have control over data that’s about them. There are eight key rights that GDPR identifies giving, for example, individuals the right to ask for copies of their information that you hold and the right to require you to delete it or transfer it to another company. In order to respect these rights, organisations need to think about data processing as being allowed to “borrow” that person’s data to do something positive for them.
‘Personal data’ applies to any information that means you can identify a living person. That’s a very wide definition that includes everything from a name, work or personal email address and phone number to a computer’s IP address and even photos and images.
The six principles of GDPR
Each person’s data must be processed in a lawful, fair and transparent manner. This means that an organisation must have a clear basis for using the person’s data and clearly communicate what they’re doing with it.
The person’s data must only be used for the purposes that the organisation declares - and nothing else. If an organisation wants to use it for a new purpose, it needs to check with the person.
Organisations must minimise the amount of personal data they hold and use, only keeping what is absolutely essential for meeting the purpose. Any additional data is considered unnecessary and must not be kept ‘in case it comes in handy or we work out something new we can do with it’.
Data must be accurate and up to date. Sometimes, the easiest way to ensure this is to help people keep their own information up to date.
Organisations should only keep personal data for the time needed to perform the task they’re doing (the “purpose” in 2 above). It’s ok to keep certain information for several years if you can justify it is necessary to meet legal obligations.
Personal data must be kept securely. An organisation needs to have technology and organisational safeguards in place to ensure that personal information remains confidential as well as being accessed when needed, and being up-to-date and correct.
How do I comply?
All organisations need to take steps to not only comply with the General Data Protection Regulation but demonstrate that they are doing so.
Astrid is an online platform designed to help small and medium sized businesses (SMEs) protect the personal data they hold and meet the requirements of GDPR. Developed with small businesses in mind, our secure online platform shows you what you need to do, and gives you the tools and information you need - all broken down into practical, manageable steps. Find out more about our services.