GDPR – the story so far
The new legislation creates an onus on companies to understand the risks they create for others, and to mitigate those risks.
In short, GDPR…
- Is EU legislation that will be the legal framework for data protection across Europe including UK
- Comes into force 25 May 2018 and businesses will be accountable from day 1
- Will significantly impact the way in which businesses hold, store and use personal data
- Is more onerous than the Data Protection Act (DPA) and better reflects today’s world
- Its “accountability principle” requires businesses to demonstrate compliance
- Fines are significant
Key principles are that an individual’s data is
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Relevant and limited to what is necessary
- Accurate and up-to-date
- Permits identification for no longer than is necessary
- Processed securely
Some of the major implications
- Data processors and controllers – processors are now required to maintain records of personal data and processing activities and are significantly more liable if responsible for a breach.
- Consent - has to be freely given, specific, informed and unambiguous. It now requires “clear affirmative action” and so silence, pre-ticked boxes or inactivity do not count. It must be verifiable and can be withdrawn at any time.
- Rights - individuals have the right to be informed of access, to rectification, to be forgotten, to restrict processing, to data portability and to object to automated decisions or where profiling has occurred.
- Accountability - organisations must demonstrate compliance and businesses of 250+ people must keep additional records. In addition, certain types of organisations will have to have a Data Processing Officer.
What the ICO says
“The new legislation creates an onus on companies to understand the risks they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise! The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Having the right mindset towards data protection helps to future proof a business.“
Need to know more?
We’re ISO 27001 certified and pride ourselves on being both data-savvy and data-compliant. But if you specifically want to read up more on GDPR itself, check out the ICO Guide or the DMA’s dedicated resource for GDPR-compliant marketing.