The General Data Protection Regulations (GDPR) are new regulations that will come into effect in the UK from 25th May 2018. They are similar to the Data Protection Act 1998, but expand upon the act and include some new requirements.
Under GDPR there are 6 data protection principles. They require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specific purposes and not used for anything other than the purpose specified
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept only as long as is necessary
- Processed in a manner that ensures appropriate security of the personal data
What is Personal Data?
Personal data is anything that can be used to identify an individual, such as, but not limited to:
- Address (or email address)
- Date of Birth
- Bank Account Number
GDPR also provides the following 8 rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
The right to object
- Rights in relation to automated decision making and profiling.
The Information Commissioner’s Office has more information about these rights if you wish to read more.
What do you need to do to comply?
The important thing at this stage is “Don’t Panic!” There is still some time before the regulations take effect and if you are already compliant under the Data Protection Act then you have a good start to build on.
The main things you will need to do are:
- Tell people why you are collecting their data and what you do with it in a clear and understandable way. This is especially important when getting consent to send people emails.
- Ensure the data you keep is secure and know what to do in the event of a breach. If you have insurance, remember, they will only pay out if you can prove you were compliant.
- Update your privacy notice.
It might help when collecting and processing personal data to ask yourself – Would I be happy if someone else was doing this with my personal information?
Where can you go for more information?
Janet Murray has an excellent interview on “What you need to know about Data Protection” in her Soulful PR Podcast Episode 207. I found it so useful that I listened to it twice.
The Information Commissioner’s Office has very detailed information on the GDPR including: