Data protection is a trending issue in the 21st century, but after four years of consultations, the European Union will be presenting its General Data Protection Regulation on 25th May 2018. Designed to take the place of the Data Protection Act 1998, it will give people more control over how their personal information is used when they hand it over to organisations.
The new laws around data protection will be virtually identical in all EU countries, forcing businesses to provide clear information on how they use personal data in terms of storage, transfer and processing. For those that fail to comply, the penalties could be substantial.
Since the beginning of 2018, the new GDPR has been subject to intense study by industry insiders. However, according to a recent report released by the UK Government, it appears many organisations are still not prepared for the changes. By failing to act in time, they could be left with hefty fines totalling four percent of their yearly turnover, or €20 million – whichever figure is higher.
If you are still uncertain of what the new laws will mean for your enterprise, here’s a run through:
1. Right to be Informed
A cornerstone of the GDPR, this asserts that companies must have a legal reason to process a person’s data and they must be transparent about how the details will be used. Your intentions must be made clear when the data is collected, and if it is obtained from a third-party, you’ll need to advise an individual no later than one month after collecting it.
2. Right of Access
Individuals will have the right to retrieve the data held on them and also any supplementary details. As part of this right, people will be made aware of what is lawful in terms of how their data is processed and be able to check this. If they make a reasonable request for information, it must be supplied free of charge.
3. Right to Rectification
If a person discovers that information held about them is untrue or inaccurate, the corrections or additions must be made. The request can be verbal or in writing, and companies have one month to respond. Under certain circumstances, if you feel a request is unfounded or excessive, it is possible to refuse.
4. Right to Erasure
Known informally as ‘the right to be forgotten’, a person is entitled to ask for their data to be removed or deleted if they have a substantial reason. Again, they can request the action in writing or verbally and companies must respond within one month.
5. Right to Restrict Processing
Each individual will have the right to block further processing of any personal data you hold. You can still store the information, but you cannot use. However, this will only apply in specific circumstances, for example, when the data has been unlawfully processed.
6. Right to Data Portability
Individuals will have the right to retrieve and reuse any data held on them, then use it for their own reasons. They should be able to move the information easily between different types of IT infrastructure, in a way that is both portable and secure. They can use the details to seek out better financial deals or view their spending patterns.
7. Right to Object
If an individual specifically objects to their personal data being processed, a business must comply. This includes direct marketing, statistics, research and even processing carried out in the public interest. Exceptions include processing that relates to legal claims or when the reasons for processing override the rights of an individual.
8. Rights related to Automated Decision Making and Profiling
It is rare for a company to have fully automated decisions – in most cases, businesses are keen to have a human element involved. When data is handled automatically, people have the right to request human intervention or to challenge decisions made by automatic processing.
9. Privacy by design
By considering individual privacy in advance, businesses can create procedures with the built-in ability to safeguard people’s information.
Applying these new regulations may feel like a challenge, but it’s essential to start work soon. GDPR will be upon us next month, so now is the time to consider how the new requirements will affect your current data processes.
We understand the importance of GDPR compliance with your company. Our aim, as always is to help and guide you in the best possible way. With this in mind, we are delighted to announce the new Data Assurance Module for existing and new customers. This software will incorporate specific functionality to help our your company with GDPR responsibilities through the Time Management System.