The General Data Protection Regulation (GDPR)
06 Nov 2017
The above piece of legislation, which replaces the Data Protection Act, comes into effect on the 25th May 2018. It is likely that this will affect your business and although it’s a piece of European legislation and we have Brexit on the table, this has already passed into the UK legislation and is not going to go away.
You need to make sure your business is ready for this.
Since the first Data Protection Act came in, the internet’s dramatically changed the way we do business and the way we handle all our day-to-day tasks. The vast majority of companies do not have a plan for when GDPR kicks off in 2018. The basic points of GDPR are as follows:
- This legislation gives control back to the person whose data you are processing.
- Individuals have the right to access. This means they’ve got the right to request access to their personal data and to ask how their data’s being used by the company after it’s been gathered. Companies must provide a copy of the personal data, free of charge and in electronic format if asked.
- The right to be forgotten. If people are no longer customers or withdraw their consent from a company to use their personal data, then they have the right to have their data deleted. This is a particularly challenging part of the legislation as it is extremely difficult for some businesses to manage data deletion. Even data on backups would need to be deleted.
- The right to portability – people have a right to transfer their data from one service provider to another. That must happen in a commonly used and machine-readable format.
- Individuals have the right to be informed. Individuals must be informed before data is gathered and consumers have to opt-in for their data to be gathered, they can no longer have a system where consumers opt-out by default. Consent must be freely given rather than implied.
- The right to have information corrected.
- The right to restrict processing. Individuals can request their data’s not used for processing, their record can remain in place but must not be used.
- The right to object. This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. If your email inbox is anything like mine, one might hope that this would stop a lot of spam! I bet it doesn’t though.
- The right to be notified. If there’s been a data breach which comprises an individual’s data, that individual has the right to be informed within 72 hours of the firm first becoming aware of the breach. This is only a small part of GDPR. We’ll be advising further!