What is GDPR?
The General Data Protection Regulations 2017 or ‘GDPR’, is a new law affecting all EU organisations who collect and process personal information about individuals, it is effective from 25th May 2018.
“Personal data is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”
At present, The Data Protection Act 1998 requires organisations in the UK to abide by a set of ‘data protection principles’.
These principles relate to the collection, use and storage of personal data.
They also apply to the rights of individuals to access information organisations hold about them.
Data Protection Principles:
- used fairly and lawfully;
- used for limited, specifically stated purposes;
- used in a way that is adequate, relevant and not excessive;
- kept for no longer than is absolutely necessary;
- handled according to people’s data protection rights;
- kept safe and secure;
- not transferred outside the European Economic Area without adequate protection
The GDPR, is part of a larger Data Protection Bill.
It expands and enhances the principles of the 20 year old Data Protection Act, providing greater rights for individuals and their personal data.
It places increased responsibility on organisations to provide a lawful basis for collection and processing.
An organisation must review their processes for:
- gaining express consent from individuals for the use of their data for such purposes as direct marketing;
- new requirements relating to the consent of children;
- the right to data portability and;
- the right to ‘opt out’ of automated decision making.
“Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.”
What does this mean for small organisations?
The GDPR places an obligation on organisations to complete a ‘data protection impact assessment‘.
This helps business to identify, and minimise the risks associated with processing personal data for specific purposes.
The assessment requires businesses to consider the ‘lawful process’ behind the collection of personal data; how it is used, the length of time the data is stored and the way in which it is stored.
GDPR applies to data protection policies, website notices, and the use of pop-ups and contact pages.
Small businesses must ensure the correct information is provided in line with the GDPR principles:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
Where Can I get Help?
The ICO has created some really useful guides and tool kits to assist small organisations in their compliance preparations such as the ’12 steps to take now’ guide and GDPR checklist.