It used to be the case that a person could freely walk across or use another person’s land so long as they were not violating other laws. More recently, governments protected the landowners’ property rights by strictly restricting how other people could access and use their property. In 2016, the EU passed laws that clarify the property interest of individuals in the data that is collected about them, and determine how the custodians of the data must control how the individual, the custodians themselves, and any third parties access and use the data. This legislation is called the General Data Protection Regulation (GDPR), and it comes into force on 25th May 2018.
GDPR Is the Law
All UK organisations, as well as all EU organisations and all organisations processing data belonging to EU residents, will need to be fully in compliance by May 25th. Additionally, legal experts agree that Brexit is unlikely to relieve UK organisations of their responsibilities under the law (in any case the law will take effect long before Brexit is completed).
GDPR determines how data is to be stored, accessed, protected and utilised. In simple terms, GDPR provides the public with more power to access information being held about them without having to access the SAR (Subject Access Request). Individuals also have the right to specify how their data is accessed and used by other people and entities. Finally, GDPR requires the holders of data to manage the data according to privacy best practices. The people who your data describes are recognised to have a property interest in their data, and this must be respected. Fortunately GDPR describes how you are expected to arrange things so that your databases respect the law.
What Do We Need To Do?
GDPR mandates that organisations appoint a Data Protection Officer (DPO). Your DPO will be responsible for and will need to be in contact with internal and external customers in the event of a data breach. For most small businesses, it won’t be a legal requirement to formally appoint a DPO. It is also possible to appoint someone outside the firm (for example, a consultant) to be your DPO. However, someone in your business will, in general, be responsible for data compliance obligations under the GDPR, including documenting that compliance.
Note that under the GDPR, a breach in data doesn’t mean that only personal or financial details are unprotected or inappropriately accessed. GDPR has a broader scope. It includes confidentiality agreements, usage details, IP addresses, or any other data identifiable as belonging to an individual within the EU, including encrypted data.
The provisions of the GDPR can be divided into 8 key rights possessed by the individual whose data is being stored and processed. It also states how you must respect these rights.
- Right of access: Individuals can request access to their personal data.
- Right to be forgotten: Individuals may ask you to tell them how you use their data. They can ask you to remove and delete their personal data.
- Right to be informed: Individuals must know how you intend to use their data at the time that you gather it, and they must freely give their consent to that usage. There are rules that govern what information we need to supply and at what stages we need to to supply information to the client.
- Right to data portability: Individuals must be allowed to transfer or move their personal data between service providers easily and safely. This move must be accomplished without denying the individual access to or use of their data.
- Right to data rectification: Individuals must be permitted to correct their data if it is inaccurate or incomplete. Customers need to be made aware of the third parties to whom the data has been disclosed. Data holders must make sure that these third parties are also informed of the corrections to the data.
- Right to restrict processing: Individuals whose data you hold may specify how you may not use or process it, or deny you the right to process it altogether.
- Right to object: Individuals may object to your usage of their data based on their own particular circumstances.
- Rights related to automated decision making and profiling: You must have safeguards in place against the risk that a potentially damaging decision might be made without human intervention. Individuals generally have the right not to be subject, without their consent, to a decision that is based on an automated profiling or demographic sorting process.
What Else Do We Need To Know About the GDPR?
Naturally, as with any legal compliance issues, it’s best for you to consult with your company’s legal advisers to determine which provisions of the law you are in compliance with now, and which provisions you need to work on in order to get ready by the May 25th deadline. Typical of most legislation, interpretations of details or even of key provisions may differ. Fortunately there are official bodies who are issuing clarification and guidance, such as the Information Commissioner’s Office in the UK, and the Data Protection Commissioner in Ireland.
Once you know what your data compliance efforts must accomplish, our team of professional database experts at Caldere will be happy to give you the tools, methods, and support you need to reach those goals. Please don’t delay; a full and effective overhaul of your data policy is not something that can be done at the last minute. Contact us today to find out how we can help.