Companies that offer the public a product or service should be aware of the UK Data Protection Act 1998 – from May 2018, the EU will implement General Data Protection Regulations that will combine with the current data protection framework that is presently used.
Due to everyday company transactions, this new regulation is set to unite data protection for all citizens in the EU within digital economies. Businesses which operate externally to the European Union, but sell goods and services to the EU, will also have to follow this legislation.
Although the UK is set to leave the EU, this European directive will still be enforced in the UK – with backing from the UK Government. But what does GDPR means for organisations across the European Union?
Will GDPR have an impact?
Companies that handle any type of personal data will be impacted by the GDPR once implemented. Defined within this legislation, there are two types of operative within this law: controllers and processors.
Processors handle the information provided by controllers; it is the responsibility of the data controller to ensure that personal information about an individual is disseminated and distributed in accordance to statutory guidelines in a way that does not compromise that individual’s privacy. However, processors will be under significantly more legal liability if they are responsible for a data breach.
For example, within a payroll company, a controller would be the person to define how and why personal data about those being paid is processed, while the processor acts on the controller’s behalf to ensure that personal information is processed in an appropriate way and through the correct communication channels.
Is your information protected by GDPR?
Personal data includes medical records, addresses, contacting methods, banking details and more information that is specific to a person – and all this data is covered by GDPR. However, the GDPR has taken the definition of personal data a step further; now, information such as a computer IP address is personal data. This is to ensure that users are protected online, and that individuals cannot be located by using a personal computer device, while protecting the data that users input online from malicious software that seeks to access personal information via an IP address.
It is important for companies to regularly check over their current data policy to make sure it works within the guidelines of the GDPR. However, because existing legislation exists to protect sensitive personal information, most organisations should already be protecting personal information in the appropriate way.
Whether there are controllers or processors in a company, they hold rights that should be complied with when dealing with personal data. These rights cover a variety of situations and should act as a guideline when information is processed on an individual’s behalf. Rights for individuals regarding their personal information shared by organisations are as follows:
• The right to be informed. To individuals, information regarding how personal data is processed should be written when requested in the form of a privacy note, which emphasises the need for transparency regarding the way how personal data is used.
• The right of access. Individuals have the right to be notified that their data is being processed, while gaining access to their personal data alongside other supplementary information – included within a privacy notice.
• The right to rectification. If personal data is incorrect or inaccurate, then individuals are entitled to request that this information be rectified. Third parties must also be informed so that they can make rectifications in the information that has been passed on.
• The right to erasure. If personal data is no longer required by an organisation, or the information does not need to be possessed, then an individual has the right to request that this information be forgotten.
• The right to restrict processing. Individuals can restrict the right of organisations to process data. This personal data can be stored, but it cannot be processed once it has been stored.
• Data portability. Without hindrance, individuals are entitled to use their own personal data stored by an organisation and distribute freely across one IT system or environment to another safely and securely.
• The right to object. If personal data is being processed for purposes such as profiling, direct marketing or scientific and historical research and statistics, then individuals have the right to object to such activities.
• Automated decision making. If organisations use personal data within automated systems that negate the need for human decision making, then GDPR safeguards individuals from any damaging effects incurred through this process when data is handled. Therefore, decisions made regarding personal information should always be challenged by human intervention to ensure that personal data is always processed safely.