The highly anticipated EU General Data Protection Regulation (GDPR) takes effect next Friday 25 May 2018 in a landmark moment for data protection in the UK and across Europe.
GDPR is the most significant reform of data protection law in Europe in over twenty years. The new rules cover any organisation that holds or processes EU resident personal data. That is not limited to tech companies but affects organisations of every size and sector.
This might seem daunting for some companies who may not be sure what they are meant to be doing to ensure they are GDPR compliant by 25 May 2018. There is plenty of guidance and advice out there. techUK has been doing lots of work to raise awareness of GDPR and as we approach the final push, we’ve outlined below the five key points companies should consider.
Approaching GDPR compliance isn’t helped by the fact that there are no specific GDPR compliance tools or approved standards. This is the first key point for organisations looking for help for GDPR –there are no approved seals, certificates or codes. There will be one day, but there are none available yet, so don’t be tricked by someone claiming they have an approved GDPR product or are a certified GDPR expert.
Let’s be clear about the type of information that is covered by GDPR. The definition of personal data has changed, and more types of information are covered. The official definition, in law, is:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The Information Commissioner’s Office (ICO) has produced a guide which sets out what information GDPR applies to which you can view here.
There is a common misconception that organisations will always need consent to hold or process personal information. That is not true and is a misrepresentation of GDPR. There are, in fact, six legal bases for processing personal data and there is no hierarchy or preference of legal basis. Whichever is most suitable should be used. Consent may not be an appropriate legal base for processing data and therefore should not always be used.
The six legal bases are:
You can see the ICO’s guidance on the legal bases here.
GDPR requires companies to appoint a Data Protection Officer (DPO) if you are a public authority or your core activities require large-scale, regular and systematic monitoring of individuals, or large-scale processing of special categories of data or data relating to criminal convictions.
Other than that, you don’t need to appoint a specific DPO, although you can if you wish. The choice is yours.
The ICO has published a suite of guidance relating to the GDPR on both the law in general and specific parts.
The general piece of guidance can be found here which specific sections further down the document.
There is also ICO guidance on the UK Data Protection Bill (soon to be Data Protection Act), which can be found here.
There is specific guidance for small businesses here and a dedicated helpline for SMEs and charities which can be reached at 0303 123 1113.
Remember, the GDPR is an EU wide regulation. There is also guidance available from the Article 29 Working Party (The EU-level collection of each EU Member State’s Data Protection Authorities on which the ICO sits) here. Again, there is both general and more specific guidance available. One of the changes under GDPR is that the Article 29 Working Party will cease to exist on 25 May 2018 and will be replaced by the European Data Protection Board which will carry out many of the same functions.
And FINALLY, you could always check out the 156 pages of GDPR itself which you can see here.
This article was originally published here.