You have probably caught wind of it already, but just in case you haven’t new legislation comes into force in May regarding data compliance. The General Data Protection Regulation, better known as GDPR, comes from the European Union and is designed to give people control over how organisations use their data.
What exactly is it?
The GDPR will replace the Data Protection Act that has been in force in the UK since 1998 and takes effect from the 25th of May 2018. The reasoning behind this new regulation is two-fold:
- To give individuals more control over how their data are used given it is relatively easy for organisations to abuse it. The Cambridge Analytica scandal recently in the news is a prime example of this and this regulation will go a long way towards avoiding similar situations in the future.
- To give organisations greater clarity over what they can and cannot use people’s data for.
Who is affected?
Anyone who controls or processes data will have to comply with the new regulations. What does this mean? A controller is someone who determines how and for what purpose data is processed, while a processor is someone processing the data. In other words, any organisation – such as a business, charity, not-for-profit – which asks for information on personal data is a controller. Organisations such as IT firms who would process data on their behalf would therefore be the processors. It is worth noting that any organisation that does business with the EU is affected, so if you have an office or branch overseas – say, the USA – which deals with data belonging to EU residents, they will also have to comply.
What does this mean for my business?
If you control or process data, you must ensure that it is done in a lawful manner. This means that you must gain consent for data to be used in the way(s) in which you wish to use it. For example, you can no longer use someone’s data to add them to a newsletter mailing list, you must seek their consent to use it for that purpose. That consent must be explicit and affirmative – so people will have to actively tick a box rather than passively agree by accepting a pre-ticked box. Controllers must also keep a record of that consent, including how and when it was given; individuals have the right to withdraw that consent at any time.
Individuals also have a right to ask to see what data an organisation holds for them at ‘reasonable intervals’. They can also seek rectification of any errors or gaps and they can ask for details on how their data are stored, how they are processed, how long they are being kept for, and who has access to them.
If data are used for a specific, one-off purpose, then they must be deleted as soon as that has been completed and the data are no longer required.
Full details of the new regulations can be found on the Information Commissioner’s Office website or you can talk to anyone in our team at Cain and Beer about how it may affect your business. We’re on the phone on 020 3633 1340 or on email at when you need us.