BUSINESSES should already be aware that new rules relating to how we collect and process personal data are up and running under the EU General Data Protection Regulation (GDPR) which came into effect on May 25.
For businesses still dealing with this, there is a guidance document which will help you understand what you need to do to comply with the new legislation – we would urge all members to read this.
The new European data protection laws replace the previous 1995 data protection directive. Many of the GDPR’s main concepts and principles are much the same so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
It is important to ensure that businesses only hold personal data for a permitted reason.
Ensuring data is processed fairly and in accordance with principles laid down in the GDPR will be key to avoiding risks of a breach. This means also ensuring that individuals’ rights are observed.
Two of the most obvious rights that businesses will need to be able to deal with are:
1. The right to make a subject access request. This is a right which is already in place under the terms of the Data Protection Act and allows an individual to ask what data the data controller holds about them and receive copies of that information. Any subject access request made must be responded to within one month. A failure to comply with such a request can lead to complaints being made to the ICO.
2. The right to erasure (or the right to be forgotten as it seems to be referred to in the press). This allows an individual to require the data controller to remove, delete or destroy some of or all of the personal data which the data controller holds about them.
The key to managing matters will be to sit down now and consider:
What personal information you hold about individuals
What lawful basis you have for holding this
Ensuring you have procedures in place to deal with the obligations you will need to comply with under the GDPR (e.g. privacy statements; a data retention policy; a data breach policy; a policy for dealing with subject access requests; etc.).
In the event of any complaint being made to the ICO, the paper trail you have to show the steps you have taken to ensure compliance with the GDPR will be essential.