GDPR 101: how will your business be affected by the big changes coming to data protection

Unless you’ve been hiding your business under a rock in recent months you will no doubt have heard about the General Data Protection Regulation (GDPR) coming into effect in the UK on the 25th May.

While most businesses are now aware of the changes to legislation, many are still unclear as to exactly how they might affect them. Indeed, 25% of businesses asked in a recent Experian survey admitted that they were “not very” or “not at all” prepared for GDPR.

If you are still unsure of the implications of GDPR or would simply like a recap on the key details, here’s an overview with the help of information security expert David Lloyd of Signacure Resilience.

GDPR at a glance

– New data protection laws coming into force in May 2018
– Designed to update and standardise current data protection regulations across Europe
– Laws will apply across Europe beyond Brexit

The current regulations . . .

Currently, UK businesses operate under the Data Protection Act 1998 (DPA). While this act was once considered to be robust and sufficient for managing the passing of data, radical shifts in the way that businesses can access and share data thanks to digital technologies have made it necessary for the UK government to reassess the rules. This is intended to provide more of a balance in the power relationship between Citizen and the Organisation.

Data has become a big part of business thanks to a whole host of online tools. And the sheer volume and variety of data that can be gathered at the push of a button makes it more important than ever that individuals are given adequate protection and privacy.

What does GDPR apply to?

The GDPR applies to what is termed “personal data”. This means that any information relating to a person that can be identified – such as a name, location or ID number – known as PII.

More sensitive personal data included in GDPR may also include genetic data and biometric data, although information relating to criminal conviction and offences are not included.

If you run a business and you handle data, you may be described as the “controller” of that data. If you utilise that information for any purpose then you are also the “processor” of that data. In some instances, however, a business may contract a third party as the “processor” – for example, those businesses that choose to outsource their marketing activity.

Why is GDPR being implemented?

In the digital age, technology has made it easier than ever before to access and utilise information relating to others for not just personal reasons but also commercial and even criminal purposes. From persistent spamming of individuals by email to identity theft, people have found themselves with very little protection against those who would take and use personal data.

In response to this, the new GDPR principles are designed ensure that personal data is “processed lawfully, fairly and in a transparent manner in relation to individuals.”

In order to do this, the legislation states that that date should always be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

In simple terms GDPR will ensure that those who give a company or organisation information will know precisely how their information will be used going forward and that should their information become inaccurate, that their details are processed, erased or rectified without delay.

What do businesses need to know about processing information?

There are 6 broad themes involved in the new GDPR regulations. While the details can be nuanced and complex, depending on the business, the general principles remain the same. They are as follows:

1. Know what data you possess and why you have it
2. Manage your data in a clear and structured way
3. Always know who is responsible for holding and managing data
4. Protect any data that you wouldn’t want to be disclosed through encryption
5. Create a “security aware” culture
6. Always be prepared for change – expect the best but prepare for the worst

David Lloyd’s step-by-step guide to data processing

The following points must be considered when holding any personal data relating to an individual:

 

 

1. The data subject must have given explicit consent to the processing of the personal data for one or more specified purposes.
2. Processing is necessary in order to adhere to GDPR regulations and exercise specific rights of the controller or the data subject in relation to employment and social security and social protection law (with appropriate safeguards for rights and interests of the data subject)
3. Processing is required to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
4. Processing relates to personal data manifestly made public by the data subject

There are 6 reasons why data may be processed. These are:

1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
3. Processing is necessary for compliance with a legal obligation to which the controller is subject
4. Processing protexts the vital interests of the data subject or of another person
5. Processing facilitates the performance of a task carried out in the public interest or in the exercise of a official authority vested in the controller
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For more information on GDPR, refer to the Information Commissioner’s Office (ICO) website here.