A Simple GDPR overview for those getting started
So what is the GDPR?
The General Data Protection Regulation is a new European Union law that becomes enforceable on the 25th of May 2018. It’s aim is to protect individuals by updating data protection law which has not kept pace with the changes brought about by modern technology such as social media, automated marketing and data mining.
It is similar in many ways to existing data protection law so if you are aligned to existing laws you should be in good shape. There are however differences, principally in the rights a person will have and also the circumstances in which you will be allowed to use personal information.
Each of the EU member states will take the regulation and turn this into their own national law with the opportunity to have ‘derrogations’ or minor amendments to suit their country – in the UK this will be the Data Protection Bill.
Does it apply to me?
The GDPR applies to all those who use personal information within the EU. This means that if you store or use information about employees, customers or any individual it will apply to you.
In addition the GDPR also applies to organisations that trade and operate within the EU, even if they themselves are based outside the EU. So if your organisation sells products or services into the EU or in EU languages or currencies then it applies to you as well.
What sort of information is covered?
The regulation covers all types of personal data. Some are obvious such as name, phone number and address. Other information also classed as personal which is less obvious are things such as biometrics, heath records, ip addresses and cookies – anything that could potentially identify an individual.
There are additional provisions for ‘special categories’ of sensitive data. If you use criminal records, political views, racial, religious, trade union, genetic, children’s, biometric or health data then there are additional considerations.
It is also important to note that this applies to all information irrespective of how it is stored – so will apply equally to your paper records as well as your digital ones.
What is it trying to achieve?
The GDPR is not trying to stop the use of personal information. It seeks to protect individuals by ensuring that those using the information do so with due care and consideration of the risk to the individual, whilst putting safeguards in place to protect the individual.
From an individuals perspective the regulation provides new rights to access their data and control what is done with that information. Organisations will by law have to support these rights and act on the requests of individuals based on these new rights.
Organisations will need to ensure they have implemented appropriate policies, procedures and IT systems to protect the data they use and to minimise the risk to individuals. The regulation sets out specific processes (such as impact assessments) and reports which need to be maintained to prove that this is being done.
What should I do?
The good news is that there is a lot you can do yourself. Most organisations will follow the same steps:
- Understand what personal information you have and why it is needed
- Decide the legal basis which allows you to use personal information
- Implement processes to support the rights of individuals
- Implement organisation and technical measures to protect your use of information
- Take steps to meet the principles of processing
The website of the Information Comissioners Office is also a very good resource.
Anything else I should know?
There are a very large number of organisations providing GDPR products and services. Be wary of anyone who says they can do it all. Implementation of the GDPR requires a broad range of IT, Legal, HR, Change and Industry skills. You will most likely need advice and services from more than one source.
The GDPR has several ‘vague’ areas within the regulation. Bodies such as the Information Comissioners Office and the EU Working Party are trying to clarify these by issuing ‘guidance’. Some of this guidance has already been provided and more will be issued over the coming months. Once May 2018 is past we will then move into a period of legal challenge and case law. These things mean the understanding of the GDPR is evolving and requirements could change.
Our Simple GDPR Overview Presentation
We’ve made this download truly free – but it would be appreciated if you would share this article with all your networks. Signup below to get it.