General Data Protection Regulation

Are you GDPR Ready?

“,”serverSync”:”2018/04/23 12:30:15″}’>

May 25th – Are You Ready?

On May 25th 2018, Regulation EU 2016/679, better known as the General Data Protection Regulations (GDPR) will come into force in the EU, and will have an impact on organisations worldwide that deal with personal information from EU citizens. GDPR is the successor to the Data Protection Act in the UK, which has been around since the 1980’s

What is GDPR

The GDPR is a set of updated regulations on how personal information can be collected, used and stored. At the moment the Data Protection Act states how personal information can be used in the UK, the GDPR supersedes this by specifying more clearly what can and can’t be collected, processed and stored, and it includes more rights for the subject of the data, such as the right to be forgotten.

Who does GDPR apply to

The regulations apply to everyone who stores information on EU individuals, regardless of where the data is collected or processed. This mean that international companies also have to comply with the GDPR even if they are processing the personal data in a non-EU country.

Just like the Data Protection Act, it’s not just digital information that is covered. If you keep paper documents they are covered too.

So it’s almost certain that if you have a business you will fall under the GDPR.

Some common types of personally identifiable information might include:

• Details about your employees
• CCTV footage
• Details about your customers 
• Details about your suppliers

Data Breaches

If you suffer a data breach, you have a responsibility to report it to the ICO within 72 hours of becoming aware of the breach. If it’s likely the breach could result in an individual’ rights or freedoms being affected, you must alert those individuals without delay.

You need to make sure your processes regularly check for any breaches of policy, and you need to have documented processes in place to identify affected users in a breach, and you need to keep a log of all data breaches you suffer.

A breach is defined as “The unlawful destruction, loss, alteration, disclosure or access to personal data, both deliberate and accidental, that has affected the confidentiality, integrity or availability of the personal data.” So even the accidental deletion of data by an member of staff with authorised access to the data, is considered a breach of policy.

Rights for individuals

Under the GDPR, individuals have several key rights regarding the data you hold on them, they are;

1. Right to be informed
   An individual has a right to be informed at the point of data collection WHY their data is being collected, HOW it will be used and WHO will be able to access it.
   The policy wording needs to be clear, legible, transparent and precise. So simply mentioning ‘3rd parties’ is no longer sufficient, you need to state who, why and how for each case.
2. Right of Access
   An individual has the right to access the personal information you store about them, including supplementary information, in an easily accessible and understandable format. So if your information contains technical  terms they need to be explained in an easy to understand way.
3. Right to amendment
   If the information you have one an individual is incorrect, they have a right to have they rectified .
4. Right to deletion
   Commonly reported as ‘Right to be forgotten’ the individual has the right to have their personal data securely deleted where there is no compelling reason for its continued processing, if the individual withdraws consent for its continued processing, or when the processing is no longer required.
5. Right to object
   An individual has the right to object to processing of their data for direct marketing (including profiling), for historical or scientific research and for and processing where a legitimate reason exists.
6. Right to transport 
   An individual’s right to data portability allows them to obtain a copy of their personal data in a format that allows them to reuse the data for their own purposes with a different service.
7. Right to rescind
   An individual has a right to block processing of personal data even after consent was initially given. If a request to restrict processing is received, you are still permitted to store the data, but no processing must be carried out on that data.
8. Right to profiling
   If you are performing automated decision making or profiling on an individual’s data, they have the right to request a non-automated processing if the result of the decision is financial or legal. 

In most cases, you will have 30 days to respond to an individual’s request. Responses must be provided free of charge, and in a readily accessible format. You are also required to ‘pass on’ the users request to any other organisations that you have passed the original data onto.

You need to make the individuals aware of their rights at the point of data collection.

We Can Help

There’s a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.

Some of the GDPR specific services we offer include:

• Data Protection Officer Services
• Policy Writing
• Data Handling
• ICO Registering
• Process Monitoring
• Process Assessment

        <a href="mailto:it@tinsleynet.co.uk" role="button">
                    it@tinsleynet.co.uk
                </a>
        <a href="tel:+447825650122" role="button">
                    07825 650122
                </a>
        <a href="/contact" role="button">
                    Contact Us
                </a>