In the first in a series of posts about GDPR, we are going to cover the basics of what it actually is, why it has come into being, and how it will affect both individuals and companies alike.
GDPR is the General Data Protection Regulation and will replace the current Data Protection Act (DPA).
It was introduced by the EU in May 2016 with a two-year transition period and comes into force on May 25 2018. The aim of the GDPR is to unify data protection law within the European Union and even though we are leaving the EU, the GDPR will remain. There are two main reasons for this
The DPA is outdated. It was last updated in 1998 and so was not designed to cope with all the new data that has been generated by our current technology.
The GDPR will not just apply to members of the EU, but applies to all businesses, regardless of their location, who will hold or process the data of EU citizens.
Our current DPA was based on a 1995 EU directive that suggested best practice for its Members, but was implemented very differently by the individual countries. The GDPR grew out of a desire for consistency from individuals who wanted their details handled in the same way, regardless of which country they were processed in, and businesses who wanted to run a single system without the need to administer data differently in different locations.
Will it affect me?
The short answer is yes.
Any entity that handles personal data, whether it belongs to customers OR staff, will be subject to the GDPR. Realistically, anyone currently subject to the DPA will also be subject to the GDPR.
The GDPR gives you more control over the personal data a company holds about you and what they can do with it.
Preparing for the General Data Protection Regulation
At its heart, the GDPR is about the rights individuals have over their personal data rather than a set of rules for businesses to follow.
The aim is to create some new rights for individuals and strengthen others that currently exist in the DPA. With the key principle of transparency running through the GDPR companies will need to show how consent has been obtained to process an individual’s personal data.
Companies will also need to be able to demonstrate how and why they have personal information, what they will do with it, how long they will keep it, and also to provide anyone with the following rights:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
The ICO have put together a PDF to help businesses to prepare for the GDPR. Click the link to download 12 steps to take now.
With under a year to go until the GDPR comes in to effect, businesses need to be taking steps to prepare for it. Unfortunately, with under a year to go, many of the finer points are still being worked on, making compliance even harder. To make things easier for you, we will aim to keep you up-to-date with changes as and when they become finalised.