The UK Data Protection Act 1998 is something that businesses will know of, especially if they offer some sort of product or services to the public. From the 25th May 2018, the European Union will enforce GDPR (General Data Protection Regulation) in addition to the existing data protection framework that already exists. Together with KBR, experts in digital networking solutions and security, we look at what GDPR means for organisations across the European Union:
The GDPR helps protect the data of citizens within the European Union when it comes to transactions with businesses – especially on a digital platform. Businesses which operate externally to the European Union, but sell goods and services to the EU, will also have to follow this legislation.
With the assistance of the British government, this is a piece of legislation that will continue to be enforced in the UK – even though we voted to leave the European Union.
Does GDPR have an impact on businesses?
Yes, the GDPR has an effect on organisations that handle personal data. Defined within this legislation, there are two types of operative defined within this law: controllers and processors.
Information is given by controllers to processors, it is then the duty of the data controller to make sure that the information is going to the right people. However, processors will be under significantly more legal liability if they are responsible for a data breach. For example, within a payroll company, a controller would be the person to define how and why personal data about those being paid is processed, while the processor acts on the controller’s behalf to ensure that personal information is processed in an appropriate way and through the correct communication channels.
Is your data being protected?
A lot of a person’s data is protected by the GDPR, including medical records and any contact details. However, the GDPR has taken the definition of personal data a step further; now, information such as a computer IP address is personal data. This is to ensure that users are protected online, and that individuals cannot be located by using a personal computer device, while protecting the data that users input online from malicious software that seeks to access personal information via an IP address.
Reviewing your data policy as a business
It is important that businesses who handle personal data continue to review their existing data policy to make sure it is in line with the actual guidelines. However, because existing legislation is in place to protect sensitive personal information, most organisations should already be protecting personal information in the appropriate way.
Individual rights in relation to data
Individuals that pass over their data have rights that companies must comply with. These rights cover a variety of situations and should act as guidelines when information is processed on an individual’s behalf. Rights for individuals regarding their personal information shared by organisations are as follows:
- The right to be informed. To individuals, information regarding how personal data is processed should be written when requested in the form of a privacy note, which emphasises the need for transparency regarding the way how personal data is used.
- The right of access. Individuals have the right to be notified that their data is being processed, while gaining access to their personal data alongside other supplementary information – included within a privacy notice.
- The right to rectification. If personal data is incorrect or inaccurate, then individuals are entitled to request that this information be rectified. Third parties must also be informed so that they can make rectifications in the information that has been passed on.
- The right to erasure. If personal data is no longer required by an organisation, or the information does not need to be possessed, then an individual has the right to request that this information be forgotten.
- The right to restrict processing. Individuals can restrict the right of organisations to process data. This personal data can be stored, but it cannot be processed once it has been stored.
- Data portability. Without hindrance, individuals are entitled to use their own personal data stored by an organisation and distribute freely across one IT system or environment to another safely and securely.
- The right to object. If personal data is being processed for purposes such as profiling, direct marketing or scientific and historical research and statistics, then individuals have the right to object to such activities.
- Automated decision making. If organisations use personal data within automated systems that negate the need for human decision making, then GDPR safeguards individuals from any damaging effects incurred through this process when data is handled. Therefore, decisions made regarding personal information should always be challenged by human intervention to ensure that personal data is processed safely.