THE GENERAL DATA PROTECTION REGULATION (GDPR) REFORM 2018
Proceeded by the ICO
There is to be one set of data protection rules for the whole of the EU providing a level playing field for all EU and non-EU businesses offering goods and services to persons within the EU.
The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will not apply until 25 May 2018.
What is personal data?
Personal data is defined as any information relating to an individual, name, photograph, email address, bank details, social activity, medical information, computer IP address.
The new legislation contains some onerous obligations that will have an immediate impact. Many companies are re-examining their processes and procedures now in order to ensure compliance.
Now is a good time to audit your current data.
What to do – a checklist
Designate a data protection officer/controller
People own their data and should be able to transfer personal data from one electronic processing system to another in the knowledge that it is safe. The managing data controller or processor is obligated to facilitate this and respect persons rights while processing personal data entrusted to them.
Where data is found to be inaccurate, or was processed illegally, people are entitled to ask for the data to be corrected, erased or blocked. They may also demand that the data controller notify those who have already seen the incorrect data, unless this requires a disproportionate effort.
A data subject’s consent to the processing of their personal data must be as easy to withdraw as to give consent. Consent must be “explicit” for sensitive data. The data controller is required to be able to demonstrate that consent was given. Existing consents may still work, but only provided they meet the new conditions.
You must seek valid consent (seek, obtain and record this consent) against an explicit purpose (state what will you use it for).
Data controllers have a responsibility to notify most data breaches to the DPA without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this time frame is not met.
Failure to comply could result in warnings and fines of up to €20,000,000.
The UK ICO have procedures to detect and report breaches of personal data infringement and already expects to be informed about all “serious” breaches.