The General Data Protection Regulation – What You Need to Know
7th November 2017
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a European Union “Regulation” which serves to protect the personal data of anyone in the EU. If you are an EU citizen or simply live, work or travel through the EU then you and your personal data are in scope. The term “Regulation” means that once the GDPR was published in May 2016, it instantly became law in all 28 EU member states. This differs from an EU “Directive” which each country interprets into its own law. A regulation is implemented to ensure a level of consistency across all EU members.
From May 2016, the GDPR entered into a 2-year transition period, giving organisations time to understand the new regulation and ensure compliance. This means that on May 25th, 2018, the GDPR will be enforced and must be complied with.
Do We Still Have To Comply When We Leave The European Union?
The government has confirmed that the UK’s decision to leave the EU will not affect the commencement and implementation of the GDPR.
Does the GDPR Apply To Your Business?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. In theory, the controller could be any organisation or business, from a profit-making company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors themselves must abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act that we currently use.
What Happens When The Legislation Comes Into Effect?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What is Classed as “Consent” Under The GDPR?
If the prospect, client or ex-customer has given permission for their data to be processed then they have consented. Alternatively, consent can mean to comply with a contract or legal obligation; to protect an interest that is “essential for the life of” the subject; if processing the data is in the public interest, or if doing so is in the controller’s legitimate interest – such as preventing fraud. At least one of the above justifications must apply in order to process data and be classed as consenting.
Consent must be an active, conscious and confirmative action by the person or company, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs. A data subject can no longer be automatically opted in, they must choose to opt-in otherwise it is not classed as consent.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
“The Right to be Forgotten”
Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
How Do I Prepare My Business for the GDPR?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
Download and read this Document produced by the Information Commissioners Office (ICO) to ensure your business is fully prepared and compliant to the GDPR: GDPR ICO Document
Microsoft’s Response to the GDPR
In response to the upcoming implementation of the General Data Protection Regulation Microsoft has introduced a new, complete, intelligent solution, that includes Office 365, Windows 10 and Enterprise Mobility + Security, that empowers everyone to be creative and work together securely. The purpose of this solution is to Empower your team, safeguard your business, and simplify IT management with a single solution, purpose-built for your business.
What Does it Include?
- It comes with Office – Stay up-to-date with the latest versions of Word, Excel, PowerPoint, and more.
- Email and Calendars – Connect with customers and co-workers using Outlook and Exchange.
- File Storage – Manage your files from anywhere with 1TB of storage.
- Data Protection Controls – Help secure business data on personal and company-owned devices.
- Safest Windows Ever – Get upgraded to Windows 10 Pro from Windows 7 and 8.1 Pro.
- Cyber Security – Help protect PCs from malware, viruses, and spyware.
- Administration – Manage New PCs and devices faster and more easily than ever.
- Support – Get 99.9% uptime guaranteed and 24×7 online and phone support.
Contact us now for more information on any of the above or if you would like to get a quote for Microsoft 365 for your business.
1) The GDPR Guy
2) IT Pro