GDPR – It’s serious 4. Accurate and up-to-date; The General Data Protection Regulation inaccurate or irrelevant data must be (GDPR) will be adopted into the UK on May erased or rectified without delay. 25, 2018. The UK Government has 5. Kept no longer than is necessary confirmed that this legislation will be for the purposes for which the unaffected by the decision to leave the EU. personal data are processed; archiving, in the public interest, While many of the principles of data scientific or historical research or protection remain the same, the processes statistical purposes allow a longer and procedures that must be in place to retention period. achieve compliance have been significantly 6. Securely processed including tightened. protection against unauthorised or unlawful processing and against The maximum fines that can now be applied accidental loss, destruction or by the ICO (Information Commissioner’s damage, using appropriate technical Office) for non-compliance or data miss-use or organisational measures. have increased to £20m or 4% of global turnover – whichever is the higher. Controller or Processor Prior legislation placed all the GDPR, the Principles responsibilities of data processing on the 1. Data must be processed lawfully, “Data Controller”: usually the organisation fairly and in a transparent manner in that owned and used the data. The Data relation to individuals. Processor – unless negligent – simply did 2. It must be collected for specified, what they were told. explicit and legitimate purposes. Further processing for archiving From May 2018, both Processor and purposes, scientific or historical Controller have similar duties of care and research purposes or statistical the Controller, in addition, needs to ensure purposes are permitted if compatible that all contracts make clear the Processors with the initial purposes. responsibilities and can prove compliance. 3. The data collected should be adequate, relevant and limited to the stated purposes.
Chiasma Data Limited·info@chiasmadata.com·+44 (0)1276 919819
Basepoint Business Centre·377-399 London Road·Camberley·Surrey·GU15 3HL GDPR: May, 2018 The GDPR legislation is detailed so some Documented Processes items, of arguably more immediate concern, GDPR requires that the organisation has are: documented processes to comply with the various aspects of GDPR. For example: Consent • If a data or security breach occurs Consent is essential: the prior legislation what happens, who is informed, would allow a “failure to opt-out” as a what safeguards are in place? granting of consent. This is no longer the • You have 72 hours to inform the case. You will need explicit and informed relevant supervisory authority of an consent. This means: identified breach – how will you • No pre-ticked boxes or burying the achieve this? consent in an information request • What process is applied to granting form access to personal data within an • Double opt-in on all email organisation? subscriptions • How are clients to be informed? • Third party data without proof of • How are third-parties to be source and double opt-in with informed? explicit consent to give the data to • Who is responsible for compliance you is not allowed within the organisation? • Record and remember where the consent came from Restricted Processing • Clear and simple methods to allow GDPR grants the right of a subject to restrict unsubscribes the processing of their data to only the • Let users edit/ delete their own narrow purpose of storing it without its data further use. “Fresh consent will be required after The conditions around this can be complex May 2018 if you cannot prove that your but having the ability to isolate data and data acquisition methods were remove it from regular processing is compliant with the new legislation.” required.
Right to Erasure What Next?
Otherwise known as “the right to be Take a close look at your processes and forgotten” This right, conferred under the make sure it is somebody’s day job to GDPR, requires that you can identify where understand the implications for the any data about the subject is held and either organisation. delete it, have mechanisms in place to obfuscate the data or place it beyond use. You have to demonstrate compliance – so review, design and document the processes In particular, if the data has been shared by which you acquire and manage consent. with a third party you must know that this has happened and have processes in place “Specifically, audit your consent to ensure the third-party’s compliance. procedures now and seek refreshed consent if you are unsure – by May next This should be of particular concern in any year it will be too late” organisation where you know or suspect that lists of customers and their contact ChiasmaData designs, builds and manages details have been passed around in databases, reporting and business spreadsheets. intelligence solutions. If you would like to “If you are currently dependent on discuss how we might help you make more spreadsheets or similar desktop tools of your information, simply email for data processing then you are in paul@chiasmadata.com or call 07880 trouble!” 706162.
Chiasma Data Limited·info@chiasmadata.com·+44 (0)1276 919819
Basepoint Business Centre·377-399 London Road·Camberley·Surrey·GU15 3HL