GDPR is to be a very similar beast to the Data Protection Directive with which we’re already familiar. However, the intention of GDPR is to tighten up on some of the elements already being adhered to. In some instances, this means introducing more specific elements within the definition of the regulations. And in some instances, this means extending the definition of specific elements to keep up with the fast-moving world of data.
Today’s article is intended to give you a brief outline of these additional or extended elements, so you can be prepared for May 2018.
It goes without saying, really, that personal data must be processed lawfully. However, additional stress is now being placed on the processing being fair and transparent too. Consent for the storage and use of data cannot be assumed or ambiguous. So data capture forms that leave a person to ‘opt out’ rather than ‘opt in’ will no longer be acceptable.
When an individual is giving permission for their data to be stored and used, they must be explicitly informed as to how it will be used; and use, thereafter, cannot be incompatible with what was outlined when they gave their permission. It’s worth noting that where personal data is archived for purposes relating to the public interest, scientific or historical research purposes, this would not be deemed incompatible. But there are still conditions that must be met for this to be permissible.
Put simply, the minimum amount of personal data must be collected and stored to achieve the objective specified. You can’t spuriously ask for birth date, just in case you’ll need it in the future, unless it is needed for the purpose you specify.
There will be a strong onus on businesses that store data to ensure not only that it’s accurate at the time of collection, but that it is then kept up to date ongoing. If data is found to be inaccurate at some point, every reasonable step must be taken to erase the error and correct it.
Basically, data can only be stored for as long as is necessary for the purposes originally explained to the individual. It is possible for it to be stored longer, but only if it’s purely for archiving data that’s in the public interest, or for scientific and/or historical research purposes. However, the storage of such data is still subject to the implementation of technical and organisational measures deemed appropriate.
Data has to be managed in a way that ensures it is protected from unauthorised and/or unlawful processing and accidental loss, etc. There are accepted, appropriate, technical and organisational measures that can be used to achieve this.
Not only is every data controller responsible for ensuring personal data is processed in a way that complies with the principles set out in GDPR, but they must be able to demonstrate this is the case too.
It’s really important that businesses familiarise themselves with the up and coming changes, so we’d recommend you do your research. Often data is stored digitally, which is why we at Blue Sky Computer Solutions are keen to work with you to ensure you meet your obligations. If you’d like to find out more about how we can help, please do give us a ring. It’s important you get this right… now!