February 19, 2018
"GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria".
Like the Data Protection Act, GDPR applies to “personal data”. However, the GDPR definition is more detailed and makes it clear that information such as an IP address can also be classified as personal data. For most organisations, keeping HR records, customer lists, or contact details etc., the change to the definition should make little practical difference to what you already have in place under the Data Protection Act.
GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the Data Protection Act’s definition and could include chronologically ordered sets of manual records containing personal data.
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs. Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data.
People can ask for access at “reasonable intervals”, and controllers must generally respond within one month. GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them. They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’ and they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
Controllers must now store people’s information in commonly used formats (like CSV files), so that they can move a person’s data to another organisation (free of charge) if the person requests it. Controllers must do this within one month from receipt of request.
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify the Information Commissioner’s Office (ICO) within 72 hours of your organisation becoming aware of it. While you can’t be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You must notify the people affected by the data breach, even before you tell the data protection authority.
If you don’t meet the 72-hour deadline, you risk being saddled with a fine of up to €10 million, or 2% of your global annual turnover, whichever is greater.
Quite simply, if you don’t follow the basic principles for processing data, such as consent, ignore individuals’ rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.