Hi everyone! Zarte here! I’m just banging my head repeatedly against a brick wall. Just give me a minute could you, I’m nearly finished...
OK, and I’m with you! Oh yes, no don’t worry about me, I’m fine – just a bit of blood! Why am I headbutting the wall? Oh you see, the Big Boss asked me to get inside the minds of our customers, and when it comes to GDPR – this is exactly the reaction that most seem to be having!
And it’s quite understandable on the face of it, it does seem incredibly daunting, and it does seem to some, like it’s going to reinvent the wheel. But it’s not, and over the next while, we’re going to be talking a lot about it on our blog, and hopefully guide us both through it!
This one is solely to give a basic outline of what GDPR is – just for those who are so far behind the 8-ball that they’re not even really sure on that.
In essence, GDPR is a new set of EU guidelines governing how businesses and organisations use and store personal data. It’s kind of like the Data Protection Act in this country, except it focuses on a far more global scale, and is more rigorous, to deal with the challenges and pitfalls of the 21st century.
There are six key principles of GDPR and one of the easiest ways to break it down is probably to go through those with you.
- That personal data should be processed lawfully, fairly, and in a transparent manner.
- That it should be used for explicitly specified and legitimate purposes.
- That it should be used in a way that is adequate, relevant and limited
- That it should be accurate and kept up to date
- That it should be kept no longer than necessary
- That it should be processed in a manner that ensures appropriate security
This in itself mightn’t sound too much like a massive departure from the existing DPA, and in many way, it’s not, however the key changes come in the implementation.
First of all, it’s now no longer enough to just comply with the regulations. You also need to be able to evidence that you are doing so. Records will need to be kept on what you’re doing with what data and when you’re doing it.
GDPR removes your ability to charge a fee of someone asking to see the data you hold on them. It now must be free to do so, and they can ask you to amend incorrect information, ask for a portable copy for of the data you hold, and indeed withdraw consent or have data removed altogether.
There are differing categories on TYPES of data now, with some, such as biometrics and genetics classed as “special category data”. This is a more complex topic and we may come back to that at a later point.
And finally there are guidelines in place to fine those that mishandle data, with companies and organisations who handle data being liable for fines of 4% of their annual revenue, or over £17 million pounds – whichever is larger.
The regulations will be enforced by the Information Commissioner’s Office in the UK, and they’ve already said that the guidelines will continue to be used by the UK after we exit the EU, meaning you can’t hope for Brexit to provide a reprieve if you don’t like it. GDPR is here to stay.
All these regulations will be legally enforced from the 25th May, so you’ve not got long now!
We’ll get into some more in-depth analysis and advice in future blog articles, but for now, this should be enough to keep you getting on with!
Until next time!