When does the new regulations start?
25th May 2018
Who will enforce it in the UK?
Information Commissioners Office (ICO)
There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines
General Data Protection Regulation (GDPR)
In May 2018, Europe's data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased.
Simply put, the old regime was no longer fit for purpose.
The solution is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of customers.
1st Safety Solutions have the knowledge and expertise to assist your organisation in navigating its way through this legislation.
What is GDPR?
The GDPR is Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon.
The EU's GDPR website says the legislation is designed to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information
GDPR changes how personal data can be used. Its provisions in the UK will be covered by a new Data Protection Bill, which has now been published by the government.
Is your Company/Start-up likely to be affected?
In short, yes. Individuals, organisations, and companies that are either 'controllers' or 'processors' of personal data will be covered by the GDPR. "If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,".
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
So what's different?
In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
Access to Data
As well putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals a lot more power to access the information that's held about them. At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what's held about them.
Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge.
Accountability and Compliance
Companies covered by the GDPR will be more accountable for their handling of people's personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
There's also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in".
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don't comply with it. If an organisation doesn't process an individual's data in the correct way, it can be fined. If it requires and doesn't have a data protection officer, it can be fined. If there's a security breach, it can be fined.