Understanding GDPR: General Data Protection Regulation
Businesses that offer products or services to the public will know of the UK Data Protection Act of 1998. From the 25th May 2018, the European Union will enforce GDPR (General Data Protection Regulation) in addition to the existing data protection framework that already exists.
It exists so that data of citizens within the European Union is protected digitally as confidential information is exchanged during business transactions between themselves and the public. Businesses which operate externally to the European Union, but sell goods and services to the EU, will also have to follow this legislation.
From the June referendum, we discovered that the UK would be leaving the European Union – this legislation will still be imposed with the full support of the British government. We look at what GDPR means for organisations across the European Union:
Does GDPR have influence?
General Data Protection Regulations have an impact on any businesses that handle personal information. Defined within this legislation, there are two types of operative defined within this law: controllers and processors.
Processors handle the information provided by controllers. Information that is given by the controller is then handled by the processors. It is their responsibility to make sure that the data controller to ensure that personal information about an individual is disseminated and distributed in accordance to statutory guidelines in a way that does not compromise that individual’s privacy. However, processors will be under significantly more legal liability if they are responsible for a data breach.
A controller is the individual that determines how and why personal data is being processed – an example of this would be in a payroll company. The processor acts on the controller’s behalf to ensure that personal information is processed in an appropriate way and through the correct communication channels.
GDPR: what it covers
There are a lot of different types of personal information that is protected by the GDPR, this includes bank details, contact addresses and medical records – any sort of specific information that is related to an individual. However, the GDPR has taken the definition of personal data a step further; now, information such as a computer IP address is personal data. This is to ensure that users are protected online, and that individuals cannot be located by using a personal computer device, while protecting the data that users input online from malicious software that seeks to access personal information via an IP address.
Reviewing the data protection policy
The GDPR have set out new guidelines that businesses must follow, it is recommended that businesses review their data policy to make sure that it is correct. However, because existing legislation exists to protect sensitive personal information, most organisations should already be protecting personal information in the appropriate way.
Customers hold certain rights that businesses must comply with when they’re giving out their personal information. These rights cover a variety of situations and should act as a guideline when information is processed on an individual’s behalf. KBR, experts in digital networking solutions found that the rights for individuals regarding their personal information shared by organisations are as follows:
- The right to be informed. To individuals, information regarding how personal data is processed should be written when requested in the form of a privacy note, which emphasises the need for transparency regarding the way personal data is used.
- The right of access. Individuals have the right to be notified that their data is being processed, while gaining access to their personal data alongside other supplementary information – included within a privacy notice.
- The right to rectification. If personal data is incorrect or inaccurate, then individuals are entitled to request that this information be rectified. Third parties must also be informed so that they can make rectifications in the information that has been passed on.
- The right to erasure. If personal data is no longer required by an organisation, or the information does not need to be possessed, then an individual has the right to request that this information be forgotten.
- The right to restrict processing. Individuals can restrict the right of organisations to process data. This personal data can be stored, but it cannot be processed once it has been stored.
- Data portability. Without hindrance, individuals are entitled to use their own personal data stored by an organisation and distribute freely across one IT system or environment to another safely and securely.
- The right to object. If personal data is being processed for purposes such as profiling, direct marketing or scientific and historical research and statistics, then individuals have the right to object to such activities.
- Automated decision making. If organisations use personal data within automated systems that negate the need for human decision making, then GDPR safeguards individuals from any damaging effects incurred through this process when data is handled. Therefore, decisions made regarding personal information should always be challenged by human intervention to ensure that personal data is always processed safely.