EU GDPR

General Data Protection Regulation, or GDPR, have overhauled how businesses process and handle data. It came into effect on 25 May 2018. 

 

The principles are as follows: 

 

 

This principle emphasis’s complete transparency for all EU data subjects. When organisations are collecting data they must be clear about why the data is being collected as well as how the data is going to be used. If you request further information regarding how your data has been processed then organisations have a duty to provide this to you within a reasonable amount of time. Data must be collected, processed and disclosed in accordance with the law. 

 

 

There needs to be a specific and legitimate reason for an organisation to collect and process personal information. The data must be used for the designated purpose only and cannot be processed for any other use. That is, unless you provide your explicit consent. 

 

 

The data needs to be limited to that which is necessary in relation to the purpose that it is being processed. It must be adequate and relevant. Organisations cannot just collect personal data on the off chance that it might be useful in the future, they should only store the minimum amount of data that is required for their purpose. If they do hold more data than necessary then this is likely to be unlawful. 

 

 

 

It is important to ensure that the personal data is accurate, fit for purpose and up to date. What this means for organisations is that they need make sure that they are regularly reviewing information that they hold about individuals and then amend the inaccurate information or delete it completely. Individuals do have the right to request that incomplete or incorrect data is erased or rectified within 30 days. This is a way of streamlining information held and will improve compliance and make sure business databases are accurate and up to date. 

 

 

Once personal data is no longer needed for the purpose that it was collected, it should be deleted or destroyed unless there are other grounds for retaining the data. It is up to the organisation to decide how long to keep the personal data based on the purpose for proceeding as the GDPR rules do not say how long you should keep personal data. Organisation should have a process in place to deal with the cleansing of databases to ensure compliance. There are exceptions to storing data for achieving, research or statistical purposes but other than these the general rule is not to hold on to personal data for future usage. 

 

 

This principle deals exclusively with security. Organisations need to ensure that all the appropriate measures are in place to secure the personal data held. It may be protection from internal threats for example unauthorised use, accidental loss or damage, It may be external threats for example phishing, malware or theft. If information is poorly secured this could jeopardise the systems and services as well as distressing people. The GDPR states that organisations need to have appropriate levels of security in place so as to address the risks presented by processing data. 

 

 

The last and new principle under the GDPR states that organisations need to make sure that they are responsible for the data that they hold and they demonstrate compliance with the other principles. Organisations need to be able to evidence the steps that they have taken to demonstrate compliance. So for example this could be done by appointing a data protection officer, carrying out data protection impact assessments and evaluating the current practices.