General Data Protection Regulations
Amethyst’s Steve Mash explains What the GDPR means for your business
The General Data Protection Regulation (GDPR) is a new EU legal requirement that will become enforceable from 25th May 2018. The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company located anywhere in the world that wishes to work with, or continue to work with, information relating to EU citizens will have to comply with the requirements of the GDPR. For UK organisations that process personal data, the introduction of GDPR will require additional activities over and above those that should already be being undertaken to support compliance with the Data Protection Act.
The definition of personal data has a more detailed definition and includes on-line identifiers such as IP addresses. Personal data relating to children has specific provisions aimed at enhancing protection. Pseudonymized personal data may also fall within the scope of GDPR, depending upon the level of anonymization used.
The GDPR imposes restrictions on the transfer of personal data outside the EU to ensure that the level of protection that the individuals have within the EU is not compromised when the personal data leaves the EU. The destination of the transfer must have been deemed by the EU commission as having an adequate level of protection before the transfer can be permitted and transfers must be subject to appropriate safeguards as defined by the GDPR.
The GDPR emphasises transparency, accountability and governance in the processing of personal data. It aims to reduce the risk of data breaches and promote best practice for the protection of personal data. Where breaches do occur, the GDPR places a duty on the affected organisations to report the breach under certain circumstances and to have processes in place to manage the breach. Privacy impact assessments and privacy by design have become legal requirements under certain circumstances. Organisations with more than 250 employees also have additional obligations for the recording of their personal data processing activities.
The GDPR provides individuals with the following rights by placing obligations upon the organisations processing their personal data:
The right to be informed
Organisations must provide fair and transparent processing information explaining how personal data is processed. This must be concise and intelligible; written in clear and plain language and it must be easily and freely accessible.
The right of access
Organisations must provide individuals with access to their personal data in response to a subject access request in a manner in accordance with the requirements of the GDPR which includes factors such as fees and response times. This includes provisions for organisations where the subject access request is unfounded, repetitive or excessive in nature.
The right to rectification
Individuals have the right to have their personal data rectified if it is inaccurate or incomplete. Organisations are obliged to perform this rectification in a timely manner unless justification for not doing so can be provided.
The right to erasure
Individuals have the right for their personal data to be erased under specific circumstances and organisations are obliged to comply with such requests unless there is a valid reason for refusal. The right to erasure places an onus on the organisation holding the personal data to also extend the erasure to any third parties that the data may have been disclosed to. Such circumstances for erasure and the reasons for refusal are laid out in the GDPR.
The right to restrict processing
Individuals have the right to block or restrict the processing of their personal data by an organisation under set circumstances. Organisations are obliged to ensure that the processing of the personal data is restricted and that the restriction is respected in the future. These restrictions will also apply to any third parties that the data may have been disclosed to.
The right to data portability
Individuals have the right under certain circumstances to move, copy or transfer their personal data from one organisation to another so that they can use it for a different service. This movement of personal data needs to be done freely and securely without hindrance to its usability in a timely manner unless the organisation holding the personal data has a legitimate reason for not complying as laid out in the GDPR.
The right to object
Individuals have the right under certain circumstances to object to the processing of their personal data. Organisations processing personal data must implement an accessible mechanism to allow objections to be made and, where the objection is valid, stop processing that personal data.
Rights in relation to automated decision making and profiling
Individuals have the right under certain circumstances to ensure that their personal data is not processed using automated decision making processes without safeguards such as human intervention being in place.
The key point to consider is the accountability requirements and the need to demonstrate compliance through the documentation of decisions regarding processing of personal data to show that the processing is lawful. This goes beyond existing requirements of privacy legislation such as the UK Data Protection Act. Under GDPR, the legal basis for the processing of personal data is linked to the rights of the individuals whose data is being processed. For example, if the legal basis is dependent upon the individuals providing consent for the processing to take place, those individuals have stronger rights as to how the data is managed. The criteria for individuals providing consent are also strengthened so that consent must be because of affirmative and verifiable action; consent can also be withdrawn at any time.
Amethyst operates in both the public and private sectors, delivering a dedicated, personal service of the highest standard. Amethyst can help your business get prepared for GDPR with our team of highly qualified and experiences specialists; many have more than 20 years’ experience of in the fields of Data Protection, Cyber Security and Information Assurance.
To find out how we can help, contact us today: firstname.lastname@example.org