If 25 May 2018 isn’t ringing any bells for you, then it should be – it’s the day that General Data Protection (GDPR) comes into force. GDPR is a data protection legislation, adding to the existing Data Protection Act 1998 to give individuals more control over their own personal data. It means that businesses have to be transparent about how data is used, sent, processed and stored, with harsh penalties for non-compliance.
Despite it having been a hot topic in the business world for the past few months, a recent government survey has found that many businesses are still unprepared for the legislation, putting them at risk of fines of up to four per cent of their annual global turnover, or €20 million – whichever is higher.
Still not sure what it involves? Let us run you through it…
- Right to be informed
There must be a lawful reason to process someone’s data, and you must supply clear and concise information about how it will be processed.
- Right of access
Each individual has the right to access and obtain their personal data if they request it.
- Right to rectification
If an individual finds that their personal data is inaccurate or incomplete, they have the right to have the information rectified within one month.
- Right to erasure
Also known as ‘the right to be forgotten’, an individual can request the permanent deletion or removal of their person data if there is no strong reason for its processing.
- Right to restrict processing
Individuals are entitled to block the processing of their personal data – you are permitted to store the data, but processing it any further is prohibited.
- Right to data portability
This right allows individuals to copy or transfer their data across different services in a safe and secure way.
- Right to object
Businesses must stop processing personal data if an individual requests it, unless you have a legitimate reason to continue processing – for example, if it’s for the establishment or defence of legal claims.
- Rights related to automated decision making and profiling
Although fully automated decisions are rare, as most business decisions have human intervention, individuals have the right to not be subject to any decisions made by automatic processing.
- Privacy by design
All new services should consider the procedures of personal data processing at the point of design.
Getting to grips with the new regulations can be a daunting prospect, but your business can’t afford complacency – if GDPR isn’t already on your radar, it’s time to get your data processes in order.