Any business or organisation providing the general public with a product or service should be familiar with the UK Data Protection Act 1998, and from May 2018, the European Union will enforce GDPR (General Data Protection Regulation) in addition to the existing data protection framework that already exists. This legislation sets to strengthen and unify data protection for all citizens in the European Union within digital economies where the exchange and commodification of information becomes vital within day-to-day business transactions. Businesses which operate externally to the European Union, but sell goods and services to the EU, will also have to follow this legislation. Although the UK is set to leave the EU, this European directive will still be enforced in the UK – with backing from the UK Government. KBR, a digital networking and wifi security product firm, look at what GDPR means for organisations across the European Union.
Put simply, GDPR impacts any business or organisation that handles personal data. Defined within this legislation, there are two types of operative defined within this law: controllers and processors. Processors handle the information provided by controllers; it is the responsibility of the data controller to ensure that personal information about an individual is disseminated and distributed in accordance to statutory guidelines in a way that does not compromise that individual’s privacy. However, processors will be under significantly more legal liability if they are responsible for a data breach.
For example, within a payroll company, a controller would be the person to define how and why personal data about those being paid is processed, while the processor acts on the controller’s behalf to ensure that personal information is processed in an appropriate way and through the correct communication channels.
What types of information are covered by GDPR? All personal data is covered – including medical records, home address, contact numbers, email addresses, banking details and any other personal information that is specific to an individual. However, the GDPR has taken the definition of personal data a step further; now, information such as a computer IP address is personal data. This is to ensure that users are protected online, and that individuals cannot be located by using a personal computer device, while protecting the data that users input online from malicious software that seeks to access personal information via an IP address.
Should businesses and organisations revise their data protection policy? As a precaution, it is advised that businesses and organisations revise their existing data policy, to ensure that it is in line with the new digital framework that has been set out by GDPR. However, because existing legislation exists to protect sensitive personal information, most organisations should already be protecting personal information in the appropriate way.
What rights do individuals have regarding their personal information? As a controller or processor within a business or other organisation, individuals hold certain rights that should be adhered to when handing their person information. These rights cover a variety of situations and should act as a guideline when information is processed on an individual’s behalf. Rights for individuals regarding their personal information shared by organisations are as follows:
– The right to be informed. To individuals, information regarding how personal data is processed should be written when requested in the form of a privacy note, which emphasises the need for transparency regarding the way how personal data is used.
– The right of access. Individuals have the right to be notified that their data is being processed, while gaining access to their personal data alongside other supplementary information – included within a privacy notice.
– The right to rectification. If personal data is incorrect or inaccurate, then individuals are entitled to request that this information be rectified. Third parties must also be informed so that they can make rectifications in the information that has been passed on.
– The right to erasure. If personal data is no longer required by an organisation, or the information does not need to be possessed, then an individual has the right to request that this information be forgotten.
– The right to restrict processing. Individuals can restrict the right of organisations to process data. This personal data can be stored, but it cannot be processed once it has been stored.
– Data portability. Without hindrance, individuals are entitled to use their own personal data stored by an organisation and distribute freely across one IT system or environment to another safely and securely.
– The right to object. If personal data is being processed for purposes such as profiling, direct marketing or scientific and historical research and statistics, then individuals have the right to object to such activities.
– Automated decision making. If organisations use personal data within automated systems that negate the need for human decision making, then GDPR safeguards individuals from any damaging effects incurred through this process when data is handled. Therefore, decisions made regarding personal information should always be challenged by human intervention to ensure that personal data is always processed safely.
