As you may already know, the EU’s GDPR guidelines, or “General Data Protection Regulation” is the result of four years of attempts to enhance and improve data protection strategies for the modern world. In the UK, GDPR will be replacing the previous Data Protection Act from 1998, providing people with more control over how companies and enterprises use their data.
Since those who fail to comply with the new GDPR system could end up facing potentially business-destroying fines, it’s important to make sure that you know what you’re getting into, before the May deadline hits. Let’s look at the “Who”, “What” and “When” of GDPR in a quick preparation checklist:
The “Who” Part of GDPR:
The Who part of our GDPR checklist relates to who this new compliance system applies to. In this world of security concerns and privacy mistakes, it’s not enough to simply pass the buck off to someone else.
- GDPR applies to “processors” and “controllers”. While a controller is responsible for determining the means and purposes of processing personal data, a processor makes sure that this data is managed in the most secure way possible
- If you’re identified as a “processor” for your firm, then the GDPR regulations will give you several legal obligations to handle. For instance, you’ll need to maintain personal data records and processing activities, and you’ll be liable if your business is responsible for a breach
- Controllers have obligations to think about too. You’ll be responsible for making sure that your contracts with processors are GDPR compliant
- The GDPR applies to any organisation within the European Union. It also applies to businesses outside of the EU that deliver goods and services to customers in the EU
- The GDPR doesn’t apply to activities that include processing covered by the Law Enforcement Directive, processing carried out purely for personal activities, and processing conducted for national security purposes
The “What” Section of GDPR:
In our What checklist, we’re covering the information that the GDPR standards apply to. This covers everything that you’re going to need to assess and control to remain compliant. For instance, you’ll need to protect:
Personal Data
The GDPR applies to anything that can be classified as personal data. This represents any information that could reasonably be used to identify a person.
- The definition of personal data is vague, which means that it can include everything from a name to location data about a customer, and identification numbers. As such, companies will need to think carefully about the way they collect information about people
- GDPR legislation applies to both manual filing systems and automated systems where personal data might be accessible according to specific criteria. This might include ordered sets of records containing personal data
- Key-coded personal data can still fall within the scope of GDPR depending on how hard it is to attribute a pseudonym or key-code to a specific individual
Sensitive Personal Data
Aside from standard personal data, GDPR also applies to an extra-sensitive category of personal information that includes highly specific recordings about an individual.
- “Sensitive” personal data can include special categories like biometric data and genetic data which is unique to an individual
- Personal data that relates to offences and criminal convictions aren’t included in this section, but there are similar safeguards in place to protect this information
The “When” Part
The General Data Protection Regulation comes into force on the 25th May 2018. There is lots more information here on UC Today and at the Information Commissioner’s website.
