The General Data Protection Regulation (GDPR) comes into force on May 25, 2018. The regulation is designed to control the processing of personal data.
What constitutes "personal data" or "personal information"?
The following, although not exhaustive are examples of personal data:
Name address/postcode/bank details/bank cards/website/employer/NI no./Doctor/Dentist/Charities subscribed to/Solicitor/Accountant/credit score/retail profile/employment history/ etc.
What information do you hold on your customers/clients and how are you processing and protecting their personal data?
Maybe some of the above,but also; Property owned/income/salary/religion/interests/family/behavourial activity/geo data/job titles etc.
Purpose of GDPR
The purpose of the General Data Protection Regulation is to; 1) Give rights to individuals who can legally enforce organisations to process their information according to the relevant legislation and 2) to give organisations guidlines on the minimum standards they should apply when handling personal information.
It is to protect the individuals right to privacy balanced against, for instance, security issues and the organisations ablity to operate in a market economy.
What is classed as an organisation
An organisation can be a sole trader, partnership,limited company, blue chip Plc company, multinational or local authority,government department,hospital, charity or voluntatry body. Any legal entity that is not a "natural person" is an organisation. GDPR is designed to promote high standards when dealing with personal information and an individuals right to confidentiality and privacy.
Organisations who hold personal data must;
- Keep personal information safe and secure
- Keep it accurate and up-to-date
- Not to collect excessive or irrelevant information
- Only keep it for as long as they need it
- Only send it to companies/countries who protect the data the same as way as we do in the EU
- Not to use it in a way that you might not expect.
Personal Data/Personal Information
Personal data or personal information is only classed as such when it can identify an individual, which are then classed as a "natural person". Under GDPR once a person can be identified then they are known as the Data Subject.
GDPR does not apply to deceased individuals. If all is known about a person is a name, say John Smith this is not enough to be personal data, however if for instance you knew the telephone number of John Smith then this would identify him as a "natural person"
Personal data may also include one or a combination of these; location,genetics,biometrics information, IP addresses,photos and images which could lead to the person being identified.
When and individual provides personal information they should be told;
- Why it is required
- What the organisation intends to do with it.
- How long they will keep it
- Promise to keep it safe
- Advise individual of their rights
- Inform the individual if the data is to be shared with a third party
Does your business operate CCTV?
Close circuit television comes under the General Data Protection Regulation because organisations are capturing images of individuals who may be identified and therfore such footage (data) must be protected and secured just the same as personal data kept on a PC or CRM system.
Categories of Personal Data
A persons' name, address DOB, financial data for instance are classed as Standard Categories of personal data.
However there is also another category known as a Special Category of sensitive personal data, which would include;
- Medical Records
- Racial Ethnic Origin/Political Opinion/Religious Beliefs
- Connection to Trade Unions
- Genetic Data
- Criminal acts
These are just few of the key facts about the General Data Protection Regulation. It is vitally important that Staffordshire Moorlands businesses ensure compliance with the regulation.
In the worst case scenario the Data Protection Authority can implement a fine of 20 million euros or 4% of global turnover which ever is the greater if there is "a breach of fundamental rights and freedoms" of the individual.