What is GDPR?
Since May 25, 2018, the UK and Europe have now been covered by the new GDPR data protection rules. The new data protection review has brought protection and laws concerning the handling of our personal information up to date with the modern world.
Previously, the data protection laws that were in place were considered to be quite outdates. The last reviews conducted during the 90s have failed to keep pace with the latest technological updates and the way that individual personal data has been used by companies and government bodies ever since. The new changes offer individuals more control and say over how their personal information can be used.
Although the new GDPR regulations have brought in big changes, it hasn’t completely changed every aspect of data storage and use. The new changes offer better protection of personal data, so the companies and organisations that hold a person’s information will have more restrictions about what they can and cannot do with it.
The new GDPR has reframed laws concerning data protection across Europe. It is a direct replacement for the old 1995 version of the data protection directive. UK laws are now based upon the new GDPR rules and regulations.
Why did we need the changes?
The new legislation was brought in to better harmonise data privacy laws across the whole of Europe, offering greater data protection rights to each individual where they can now dictate exactly who can keep their information and how it is used. Previously, a company could gather personal information from customers and use it in any way they chose, including direct marketing of products and services to a customer that they may not want or be interested in. They could also sell or pass on customer data to other companies to use, even if the customer never directly approached that company or registered with them for their newsletters or information.
It took four years on negotiation before the new GDPR framework was draw up and adopted by both the European Parliament and the European Council in April 2016. The implementation and roll out has taken two years to complete with the GDPR enforcement deadline date of May 25th, 2018. This was planned out to give businesses and organisations enough notice to update their data protection and privacy policies in readiness for the change.
What does the GDPR mean for me?
The new GDPR rules mean that there are new right for individuals to access exactly what personal information a company holds about them. This can be done through submitting a Subject Access Request (SAR) that allows an individual the ability to ask a company or organisation to provide data about them. They can also request that the company remove their personal information from their records, so this can be very reassuring to know that personal information cannot be used for any other purpose by that business. There are now harsh penalties and fines for companies that are in breach of the new guidelines, so they must meet their new obligations or face serious consequences.
Because the new GDPR replaces the older versions of the data protection act, the UK government have created a new Data Protection Act (2018) that companies and organisations can consult for guidance. Individuals can also read the new guidelines to understand what obligations companies need to meet while handling your personal data.
How will the new GDPR rules impact on business?
Any business or organisation that are responsible for processing or holding personal data will be covered by the new GDPR. So if you are unsure whether the new rules apply to you, if you were subject to the old Data Protection Act rules, then it is most likely that you will still need to meet with the new GDPR rules now too.
Personal data, regardless of whether it is sensitive or not, is covered by the GDPR. So any piece of information that a company holds on you that can be used to identify you will be covered by the new rules. This would include data such as your name and address, your banking and financial details, your sexual orientation, your political or religious beliefs, medical history etc.
In total, there are 99 articles that set out the rights of individuals and the obligations that a company needs to meet to comply with the new regulations. Within the GDPR there are eight basic rights for individuals that allow you to gain easy access to what data a company holds about you. A company is now required to seek your consent before they collect any information about you, so this means asking your permission to use your contact details to send you a monthly newsletter or a weekly email update for new stock information, for example. Without you giving your express permission, the company cannot use your contact details for such mailings.
For companies that have more than 250 employees, the management will need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Larger business operations that process a huge amount of personal information, and those that perform regular and systematic monitoring of individuals, will need to employ a data protection officer. While many large corporations already have a data protection officer (DPO) in place, this person will be responsible for reporting to senior members of staff, monitoring the companies compliance with GDPR and also act as a point of contact for employees and customers.
Who is responsible for enforcing GDPR?
The GDPR isn’t a simple ‘set it and forget it’ system. The government run Department for Culture, Media and Sport is ultimately responsible for ensuring that the UK law complies with the new rules. It was this government body that was heavily involved and responsible from drafting the old Data Protection Act, but actually has less control of the day-to-day elements of GDPR that it once had.
The new regulator is the Information Commissioner’s Office (ICO) and has the power to conduct criminal investigations and issue fines for companies that fall foul of the new laws. They are also responsible for providing new and established businesses with correct information and guidance about how to comply with GDPR.
It is hoped that bringing in the new GDPR rules will greatly help to reduce or eliminate the huge rise in data breaches that have been seen over recent years, including millions of user details being accessed from LinkedIn, Yahoo and MySpace account holders.
Under the new GDPR rules and regulations, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator. This could have a serious impact on those companies who are affected. The ICO needs to be told about a data breach no longer than 72 hours after an organisation finds out about it. As well as this, all the people affected and impacted by it also need to be told.