What is GDPR?
GDPR stands for the: General Data Protection Regulation. It is a European Commission approved European privacy law that replaces the “Directive” that has been in place since 1995. Obviously, with the changes in technology over the last 23 years, new legislation is needed to protect people’s privacy. It impacts how organisations can obtain, store, use and delete personal data.
Do I only have to worry about my UK data?
No, all EU states are covered by the law so if you operate within the EU, and/or offer services to people in the EU states, you have to comply.
What rights do individuals have?
You have a legal duty to keep any data you hold secure – both customer and employee.
GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- the right not to be subject to automated decision-making
When you collect information about people they should know who you are and what you’re going to do with their information. There should be a clear explanation that is easy to find on your website.
Find out more about these terms at www.ico.org.uk
What will happen if I do not comply?
Although, ultimately you could be fined, the Information Commissioner’s Office (ICO) claim that there are assessments that will be conducted before fines are imposed. They will consider: ‘the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage.’ ICO (accessed www.ico.org.uk 23.4.18)
A blog by Elizabeth Denham, Information Commissioner dated August 9th, 2017 claimed that “It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.” (www.iconewsblog.org.uk accessed 23.4.18)
How quickly do we have to report a breach?
You have to report a breach within 72 hours of its discovery. The UK supervisory body is the ICO. You can find their website at www.ico.org.uk
Do I need a Data Protection Officer?
Although it is considered best practice to appoint a DPO in larger companies. The following rules apply:
Under the GDPR, you must
appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
What if they opted in to receive newsletters or be part of our data?
It depends on how the data was collected. If you have been transparent about what the data is used for, they opted in and can now opt-out at any time, you are compliant. Continue to allow them to opt-out at any time and make it clear to them.
Remember even if they have been receiving newsletters for a long time, pre-ticked boxes and opt-out style sign-up does not count.
How soon do we have to pass on data in the event of a ‘Subject Information Request’?
You have one month to supply the information.