The General Data Protection Regulation (GDPR) comes into force across the EU on May 25th 2018. The intention is to “create a landscape of consistency”, providing individuals with more control over how organisations use their personal data and enhancing privacy as a human right.
As deadline day draws nearer, it's vital to ensure that you are fully informed and prepared for compliance. So here's a reminder of the important changes, what effect they will have and some unavoidable actions that we all must take.
To help you to make sense of it all, we’ve compiled a guide to summarise the major changes and implications, some checks you might want to undertake and some tips for the future. For a more comprehensive overview, read our eBook ‘Guide to GDPR’.
To be sure that your company is compliant, it’s first important to know exactly what definitions these new rules are pointing to.
The GDPR is primarily concerned with “Personal Data”; this is any information relating to an identifiable natural, living person. Importantly, data needn’t include someone’s name to be considered “personal”. If it’s possible that an organisation could access and cross-reference information that could reasonably lead to identification, then each piece of that data is deemed “personal”.
Which leads to the next key definition: the distinction between ‘anonymisation’ and ‘pseudonymisation’. If data is anonymised, it has been irreversibly altered to destroy all possibility of identification; as such, anonymised data does not fall under GDPR. On the other hand, pseudonymised data correlates seemingly abstract entries to specific individuals. Pseudonymised data is still personal data.
Special Category Personal Data requires further security measures. Any data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, or details concerning a person’s health, sex life or sexual orientation, can only be processed under certain, specific conditions. Outside of legal proceedings or the interests of public safety, any organisation planning to deal with special category data must acquire explicit consent.
Once an individual consents to sharing their personal information, it passes into the hands of a Data Controller and a Data Processor. A Data Controller exercises exclusive control over the data, deciding which information is necessary and what it is used for. A Data Processor is subject to fewer obligations, as they handle personal data on behalf of a controller. However, in the absence of a prescriptive agreement, a processor can define methods for storing, transferring, retrieving and deleting data. Importantly, BOTH parties are responsible for the security of the data and liable in the instance of a breach.
We’re sure that you’ve been preparing for the upcoming changes already, but as we near the deadline, check that you have taken the following steps to avoid those hefty fines:
Ensure that you are fully prepared before the 25th of May, by clicking through to our in-depth 'Guide to GDPR'. Inside you will find:
Compliance is vital and unavoidable, so, if you are in any doubt, be sure to seek advice and further research.
(Title image sourced via Flickr.)