GDPR in a nutshell
What is GDPR?
- It stands for General Data Protection Regulation
- A full guide to GDPR, supplied by the Information Commissioner’s Office (ICO) can be found here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- GDPR is a set of regulations that stipulates how you gather and store personal data
- If you have day-to-day responsibility for data protection in your organisation, you need to comply with GDPR requirements
The nutshell part
- Unbundle consents: consent requests should be obvious, easily understood and separate from other terms and conditions. Consent should not be a precondition of signing up for a service unless it is necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid. Use unticked opt-in boxes or similar active opt-in methods.
- Granular options: give granular options for consent wherever possible and appropriate. This means seeking different levels of consent if data can or will be used in different ways or by different parties.
- Naming: name your organisation and any third-parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documentation: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. Greater emphasis is placed on the documentation that Data Controllers must keep demonstrating their accountability.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Privacy by default
Data controllers will need to demonstrate GDPR data compliance. They will be required to maintain certain documentation
Right to be informed
Transparency requirements give individuals the right to be informed about the personal data you collect and use. Data controllers must notify data protection authorities and affected users as quickly as possible and no later than 72 hours in the event of a data breach.
Right to erasure
A person for whom you hold data can request to have their data removed when there is no legitimate reason for the organisation to keep it.
Right of access
Individuals have the right to access their personal data and supplementary information.
Right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. You have one calendar month to respond to a request.
When does it come into effect?
GDPR comes into effect on 25th of May 2018.
Who does it affect?
Anyone that trades in the EU and collects personal data.
But the UK is leaving soon – does GDPR still count?
Yes, the UK is adopting it on the 25th of May and will still adopt it post-Brexit, whatever form that is in.
What if I don’t comply?
Penalties for non-compliance could reach up to 4% of annual turnover or 20 million Euros, whichever is higher.