General Data Protection Regulations GDPR

GDPR is The General Data Protection Regulations that are replacing The Data Protection Act. Its all about protecting your clients data.

Here is quick list, covering the key points of GDPR to help you get started.

GDPR - The Essentials

When: Comes into force 25 May 2018

Why: To improve trust in a digital economy, by making those who hold your data accountable for keeping it safe

What: GDPR is the new EU privacy law and it will protect 750 million EU citizens' personal data

Where: It applies worldwide to any company / organisation holding personal data on EU citizens

Who: Controllers (nominated person) and processors of EU citizen data must abide by GDPR, regardless of where they are based. Processors now have a much higher duty of care than under the UK Data Protection Act 1998

How: Standardised rules apply for everyone. Huge fines for non-compliance.

GDPR - The Detail

1. Tougher fines for non-compliance and breaches. Penalty is 4% of annual worldwide revenue or 20 Million Euro whichever is bigger.
2. Returns control to data owner; i.e. the customer or member
   1. How data is used, processed and stored
   2. What data is used and for what purpose
   3. What is collected and how – what’s personal?
3. People will have the right
   1. to access any information an organisation holds about them
   2. to know why that data is being processed
   3. how long its stored for
   4. how the organisation processes it
   5. ask for incorrect data to be rectified
   6. insist on the right to be forgotten. i.e. to ask for to be deleted if no longer used.
4. Controllers must ensure data is processed lawfully, transparently and for a specific purpose. It’s lawful:
   1. If the subject has consented
   2. To comply with a contract or legal obligation
   3. To protect an interest that is ‘essential for the life of’
   4. If processing in the public interest
   5. If it’s in the controllers legitimate interest i.e. preventing a fraud
5. Consent must be an active, affirmative action by the data subject. Opt-out will not be allowed.
6. The new definition of personal data is much wider and includes such things as IP addresses.
7. Organisation is responsible for reporting a breach within 72 hours to Information Commissioner
   1.  Outline nature of breach and the type of data affected
   2.  Assess (roughly) how many people will be impacted
   3.  What the consequences of the breach might be for the subjects
   4.  Measures taken and /or planned in response.
8. It will replace The Data Protection Act 1998 even though we’re leaving the EU.
9. If you process or hold data you must appoint a data protection monitor.
10. Start preparing now.

Save

Save

Save

Save