GDPR for Newbies

A GDPR Primer for those getting started

So what is the GDPR?

The General Data Protection Regulation is a new European Union law that becomes enforceable on the 25th of May 2018. It’s aim is to protect individuals by updating data protection law which has not kept pace with the changes brought about by modern technology such as social media, automated marketing and data mining.

It is similar in many ways to existing data protection law so if you are aligned to existing laws you should be in good shape. There are however differences, principally in the rights a person will have and also the circumstances in which you will be allowed to use personal information.

Each of the EU member states will take the regulation and turn this into their own national law with the opportunity to have ‘derrogations’ or minor amendments to suit their country – in the UK this will be the Data Protection Bill.

Does it apply to me?

The GDPR applies to all those who use personal information within the EU. This means that if you store or use information about employees, customers or any individual it will apply to you.

In addition the GDPR also applies to organisations that trade and operate within the EU, even if they themselves are based outside the EU. So if your organisation sells products or services into the EU or in EU languages or currencies then it applies to you as well.

What sort of information is covered?

The regulation covers all types of personal data. Some are obvious such as name, phone number and address. Other information also classed as personal which is less obvious are things such as biometrics, heath records, ip addresses and cookies – anything that could potentially identify an individual.

There are additional provisions for ‘special categories’ of sensitive data. If you use criminal records, political views, racial, religious, trade union, genetic, childrens, biometric or health data then there are additional considerations.

It is also important to note that this applies to all information irrespective of how it is stored – so will apply equally to your paper records as well as your digital ones.

What is it trying to achieve?

The GDPR is not trying to stop the use of personal information. It seeks to protect individuals by ensuring that those using the information do so with due care and consideration of the risk to the individual, whilst putting safeguards in place to protect the individual.

From an individuals perspective the regulation provides new rights to access their data and control what is done with that information. Organisations will by law have to support these rights and act on the requests of individuals based on these new rights.

Organisations will need to ensure they have implemented appropriate policies, proceedures and IT systems to protect the data they use and to minimise the risk to individuals. The regulation sets out specific processes (such as impact assessments) and reports which need to be maintained to prove that this is being done.

What should I do?

The good news is that there is a lot you can do yourself. Most organisations will follow the same steps:

  1. Understand what personal information you have and why it is needed
  2. Decide the legal basis which allows you to use personal information
  3. Implement processes to support the rights of individuals
  4. Implement organisation and technical measures to protect your use of information
  5. Take steps to meet the princples of processing

If the above sounds daunting you can use Gydeline to identify specific actions that you need to complete.

The website of the Information Comissioners Office is also a very good resource.

Can’t I just wait until May 2018?

Whilst the regulation is already in force, it becomes fully enforceable in May 2018 and it would be extremely risky to leave your preparations until this time. It is very unlikely that your organisation will be able to meet all the requirements of the regulation in a short period of time.

The GDPR was deliberately released with a 2 year transitional lead time to give organisations time to prepare.

The best advice is to begin immediately and to put plans in place to meet as much of the regulation as you can by May 2018.

Anything else I should know?

There are a very large number of organisations providing GDPR products and services. Be wary of anyone who says they can do it all. Implementation of the GDPR requires a broad range of IT, Legal, HR, Change and Industry skills. You will most likely need advice and services from more than one source.

The GDPR has several ‘vague’ areas within the regulation. Bodies such as the Information Comissioners Office and the EU Working Party are trying to clarify these by issuing ‘guidance’. Some of this guidance has already been provided and more will be issued over the coming months. Once May 2018 is past we will then move into a period of legal challenge and case law. These things mean the understanding of the GDPR is evolving and requirements could change.

The good news is that Gydeline can provide specific actions for you organisation and is also updated with all the guidance for the GDPR which means your organisation doesn’t have to worry about these aspects.

Where can I get more help?

There is more help on our resources page and explanation in our Glossary.

In addition please contact us via our support page if you have any questions.

Information Comissioners Website

Article 29 Working Party Website

The regulation in full

 

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts