The biggest change to data protection laws in 20 years. On the 25th of May 2018 the EU’s General Data Protection Legislation (GDPR) will come into effect. It will impact millions of businesses.
You should start getting prepared now for May 2018.
One in three businesses hasn’t heard about GDPR.
Powerful new powers to control personal data
Right to be Informed
Individuals need to be informed when you collect or process their data.
You must inform the individual:
• In clear, plain, concise language.
• Your Organisation’s identity.
• In a reasonable period (within 1 month).
• Free of charge
• Your Data Protection Officer’s identity.
• When communicating with the individual.
• The purpose of the data processing.
• When disclosing data to another party.
• The legal basis for your data processing.
• Details of transfer to any third country.
• The retention period, or criteria.
• The existence of the individual’s rights.
• Their right to withdraw consent at any time.
• Their right to complain to a supervisory authority.
• Existence of any automated decision making, including profiling.
• If provision is part of a statutory or contractual requirement, and consequences of not providing data.
• Categories of personal data.
• The original source of the data, and if it was publicly accessible.
Right of Access
Individuals can now ask for access to their data and why you are processing it.
Individuals will be able to access:
• Confirmation their data is being processed
• Access to their personal data
• Other supplementary info
- How long do you have to comply?
One month. Two months if requests are complex or numerous (but you must inform the individual).
- Can you charge a fee?
No. It must be free unless the request is ‘manifestly unfounded or excessive’.
- How should the information be provided?
• You must verify the identity of the person making the request using ‘reasonable means’.
• If the request is electronic, you should provide the information electronically.
• Where possible organisations should provide remote access to a self-service system.
Right to Rectification
Data that is inaccurate or incomplete must be corrected on request.
Individuals can have personal data rectified if it is inaccurate or incomplete, without delay.
Right to Be Forgotten
Individuals can ask to have all their data deleted from your records.
You must erase personal data on request, or when you have finished processing it.
You must erase data when:
• When the data is no longer necessary for the original purpose it was collected for.
• When an individual withdraws their consent.
• When individual objects to processing.
• When the data was obtained unlawfully.
• When the law requests it.
Right to Restrict Processing
Individuals have the right to stop any further processing of their data.
Processing must stop if an individual:
• Contests the data’s accuracy.
• Objects to processing.
• Opposes erasure and requests restriction when processing is unlawful.
• Needs the data to establish, exercise or defend a legal claim.
Right to Data Portability
Individuals can obtain and reuse their data for their own purposes across different services.
• You must provide the data in a structured, commonly used, machine readable form.
• You may need to transmit the data directly to another organisation if the individual requests it, if technically feasible.
Right to Object
Individuals can object to data being processed.
If the data is for direct marketing you must stop processing as soon as you receive the objection and deal with it free of charge.
Consent & Privacy
When and how to get consent:
• When any information is collected.
• Positive, opt-in boxes are accepted.
• Consent by ‘non-action’ is prohibited. (auto-check Boxes, opt-out boxes.)
• Language should be clear, plain and accessible.
• The purpose of collection must be clear.
• State what the data is going to be used for.
• Inform who the data will be shared with.
• Disclose how long you will keep the data.
• Personal information can only be collected for specific, explicit and legitimate purposes.
• Only collect the minimum data you need.
• Data must be confidentially and securely processed by your data system.
• Only authorised individuals should have access to the data consented to.
Data Time Limit
• All data must have an expiry date.
• The expiry date must be appropriate for the collected purpose.
• If unsure, it is recommended consent be checked at least every 2 years.
• Data cannot be stored indefinitely.
• You must ensure data is accurate and correct
• This is to avoid distress or harm to the individual.
• Individuals must be given a genuine choice.
• Service cannot be conditional on consent.
• Individuals be able to refuse, or withdraw consent without detriment.
• Provide your identity and contact information.
• Disclose your Data Protection Officer’s details, if relevant.
• Individuals under 16 cannot give consent.
• The UK May lower its age of consent to 13.
• Parental consent is required for anything other than counseling and preventative services.
Allow User Action
• Explain how to withdraw consent.
• Withdrawing consent must be as easy as giving consent.
• The Right to object to direct marketing must be clear.
• Special data categories (race, health, genetic) require explicit consent.
Uphold Individual Rights
• Must be able to change inaccurate data.
• Must know what data has been collected and how it will be used.
• Must be able to transfer the data to another system.
• Must be able to withdraw consent.
Documentation & Process
• Prepare a clear record of your consent policy.
• Review and check it continuously.
• Make sure your existing data has the correct consent.