GDPR Demystified

By Alex McCreath
12 December 2017

The EU’s General Data Protection Regulation (GDPR) is set to come into force in May 2018. Many of its principles are the same as those of the current Data Protection Act (DPA) which it will replace, therefore for those businesses who comply fully with the current law most will remain valid under GDPR.

The premise of GDPR revolves around the handling of personal data of EU citizens and what is necessary in order to protect it (note that the government has stated that this will remain in force post-Brexit). Given that this includes all data gathered pre-May 2018 and thereafter it requires that a business is able to demonstrate that it has taken all reasonable steps to ensure that it has sort consent of individuals to hold specific information going forward. What is deemed as ‘data’ is any information that can identify a person (and these can include social media comments or even an individual’s personal computer IP address).

Any business who during their daily activity collect individual information must have processes in place which will allow requests from an individual (known as a ‘Subject Access Request’), for their data to be identified and thereupon either edited or deleted as part of the ‘right to be forgotten’.

A business must be able to demonstrate how it stores securely personal data outlining the protocols that are in place to ensure that it cannot be penetrated, stolen or shared without the authorisation of the individual. Additionally, it necessitates that staff are trained and a policy (which can be shared upon request) is in place to protect and manage said information held. Organisations are grouped based on their activity according to the following:

Controller

An organisation that determines the purpose under which personal data is processed. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.

Processor

An organisation that processes and stores personal data on behalf of a controller.

 

The following suggests what steps can be taken to conform to GDPR

 

1st Step

Audit

We recommend that an audit is undertaken which will identify data held and on what basis and how this is accessed internally or externally of an organisation. By doing so it will allow for an understanding of:

  • Where and what data is being held
  • What consent is attached to said data in its entirety or in part
  • Who has access to it and under what role/ access rights these are granted

The likelihood is unfortunately that part of the above will not have been either sort initially or collected as part of holding data and therefore GDPR requires that consumers are re-engaged to seek anew ‘consent’ to hold data for the purpose of providing a service to that individual.

 

2nd Step

Actions

Having undertaken an audit of data and internal protocols an organisation must determine whether these conform to GDPR or require improving.

In terms of protocols, depending on the size of organisation this may require the creation of a new role identified as the ‘Data Controller’ whose responsibility is to monitor the organisation’s data policy activities.

An organisation must train staff who access personal data to ensure that they are compliant with the GDPR policy.

Whatever system is employed to hold personal data must have the means to easily access an individual’s information and, based on the request, update/ delete it.

Any current processes employed for data capture should contain an ‘opt-in’ function as it will no longer be acceptable to imply consent either by statement or pre-ticked box.

With regards to personal data held, it is recommended that an organisation looks to run a ‘permissions’ campaign(s) to seek new consent which would allow not only to conform to the ‘opt-in’ protocol but also the basis upon which future content can be sort given that such consent requires regular updates (note that the period of consent is not identified specifically).

Advice

The principles of GDPR are straightforward however how they apply to each and every business is not since it entirely depends on how that organisation gathers personal data and holds it.

Rocktime will work with existing clients as well as new client enquiries to establish what is needed. On an individual conform and make recommendations.

Feel free to contact us to discuss how we can help you to comply with GDPR.

For more advice and information on GDPR visit ICO (Information Commissioner’s Office).


Share this article
  • Blog

    Hundreds of Environmental health officers across the country are waiting to hear what the coming months will bring when the Government announce its plans in regards to the expanding of mandatory licensing in England.

    Martin Bradbury
  • News

    Rocktime is delighted to announce that is has be awarded a place on two Lots of the Crown Commercial Service’s (CCS) Digital Outcomes & Specialists framework RM1043iv. Worth up to £345m, the framework will serve as a compliant route for the UK public sector including central and local government, social housing associations, educational institutes and the NHS.

    Martin Bradbury