Businesses prepare for tightening of data rules
Next year’s General Data Protection Regulation (GDPR), which comes into effect on 25th May 2018, is causing quite a lot of angst among IT professionals, marketers and other business people. And the UK’s exit from the EU isn’t necessarily going to change things.
Whatever your personal view on Brexit, you might be forgiven for thinking that British businesses are no longer going to have to worry too much about EU regulations.
The reality, however, is that directives from Brussels are still going to be a fact of life until the point of formal departure.
There is a further reason, however, to take note of the GDPR. According to the trade magazine and website Computer Weekly, the rules will affect any UK business which offers any type of service to the EU market, ‘regardless of whether your business stores or processes data on EU soil, and whether the UK stays in the EU or not’.
The UK Information Commissioner’s Office describes GDPR as operating on similar principles as the Data Protection Act, but with an added layer of detail and an additional concept of accountability. So what are the key issues you’re likely to confront?
If you are processing personal data, you need to have a legal basis for doing so and must be able to document it. Relying on someone’s consent? Well, you may be find that they have greater rights in future – particularly to have their data deleted.
People need to take affirmative action to give consent to their data being used. If they are silent or you have pre-ticked boxes for them, that won’t count. You need to record when and how the consent was given. What’s more, it can be withdrawn at any time.
The rights of individuals
The GDPR gives a number of protections to individuals that your organisation must observe:
The right to be informed – you need to provide ‘fair processing information’, which will usually involve a privacy notice. It’s important to be transparent over how you use data.
The right of access – individuals will have similar rights to those under the Data Protection Act. They can ask you to confirm you hold data and request access to that data.
The right to rectification – if information you hold is incorrect or incomplete, an individual has the right to demand that you correct it.
The right to erasure – also known as ‘the right to be forgotten’. Someone is entitled to request that you delete or remove personal data if there is no compelling reason for your continuing to process it.
The right to restrict processing – if an individual asks for the processing of their data to be blocked, you must respect their request. You are only allowed to store the data and retain enough information to ensure their wish is respected.
The right to data portability – this allows people to obtain and then reuse their data – transferring it from one IT environment to another.
The right to object – an individual can object to profiling conducted in the public interest or for direct marketing purposes. They can also object to the use of data for scientific or historical research and statistics.
The detail of the regulations is understandably complex, so if you feel that you are likely to be impacted, it’s important that you read more online or take professional advice on how to prepare.