Northampton: 01604 657200    Daventry: 01327 317300

Proactive Chartered Accountants offer the latest financial help and advice

 

[22.08.2017]

The General Data Protection Regulation (GDPR) – Are you ready?

 

The General Data Protection Regulation (GDPR) comes into effect in the UK from 25th May 2018. Whilst this is EU legislation the government have confirmed that the decision to leave the EU will not affect the commencement of the GDPR in the UK.

The UK Information Commissioner’s Office (ICO) describes GDPR as operating on similar principles as the Data Protection Act, but with an added layer of detail and an additional concept of accountability. It will also require that you document and demonstrate how you comply with the principles.

What does the GDPR cover?

The GDPR applies to ‘Personal data’ i.e. Information about, and data that can identify, individuals.

Who does the GDPR apply to?

The GDPR applies to data controllers (who determine how and why personal data is processed) and processors (who process the data on behalf of controllers).

So what are the key issues you are likely to face?

Lawful processing

If you are processing personal data, you need to have a legal basis for doing so and must be able to document it. Relying on someone’s consent? Well, you may find that they have greater rights in future – particularly to have their data deleted.

Consent

People need to take affirmative action to give consent to their data being used. If they are silent or you have pre-ticked boxes for them, that won’t count.  You need to record when and how the consent was given. What’s more, it can be withdrawn at any time.

Children’s personal data

The GDPR enhances the protection of children’s personal data. For services offered directly to a child the privacy notices must be written in a clear way so that a child will understand. If you offer an online service to children you may need to obtain consent to process the child’s data from a parent or guardian.

The rights of individuals

The GDPR gives a number of protections to individuals that your organisation must observe:

The right to be informed – you need to provide ‘fair processing information’, which will usually involve a privacy notice. It’s important to be transparent over how you use data.

The right of access – individuals will have similar rights to those under the Data Protection Act. They can ask you to confirm you hold data and request access to that data.

The right to rectification – if information you hold is incorrect or incomplete; an individual has the right to demand that you correct it.

The right to erasure – also known as ‘the right to be forgotten’. Someone is entitled to request that you delete or remove personal data if there is no compelling reason for your continuing to process it.

The right to restrict processing – if an individual asks for the processing of their data to be blocked, you must respect their request. You are only allowed to store the data and retain enough information to ensure their wish is respected.

The right to data portability – this allows people to obtain and then reuse their data – transferring it from one IT environment to another.

The right to object – an individual can object to profiling conducted in the public interest or for direct marketing purposes. They can also object to the use of data for scientific or historical research and statistics.

Accountability

The GDPR will place a higher emphasis on accountability than the Data Protection Act. The aim of this is to minimise the risk of a data breach and to protect personal data. You will be required to demonstrate that you comply with the regulations. This may include implementing appropriate internal policies, maintaining documentation on processing activities and appointing a data protection officer.

Summary

The detail of the regulations is understandably complex, so if you process personal data there are a number of areas that your organisation will need to consider. Your trade or professional association will be working with the Information Commissioners Office (ICO) to prepare guidance for your sector.  Speak to your professional advisers who will also be able to assist.

Click here for the ICO’s overview of the GDPR and click here to read their publication ‘Preparing for the General Data Protection Regulation (GDPR)’.

Keep visiting our site for more blogs on this topic over the coming months.

 

Andrew Picker

 

 

Leave a comment

 

 

Comments left on this post

 

 

 

Next Previous