Author: Sinead O'Connor; Head of Regulatory & Compliance Services | DQ
Good, because that’s how long it took me to read through all the detail on the Information Commissioner’s web site about the new EU General Data Protection Regulation. Eighteen pages of handwritten notes later and I think I have got the measure of how much work might be involved in getting ready to comply.
If you reached the end of the first paragraph without thinking ‘Ah, but what about Brexit?’, well done. I genuinely don’t think though that Brexit will have a significant impact on the need to comply. Firstly, compliance will be required if you offer goods or services to EU residents. Granted this might be a smaller population for some businesses if the UK is not in the EU but in reality having separate data protection regimes for EU and non-EU residents won’t be very business efficient. Secondly, if an EU data controller wants to send you data, compliance will be expected in order to send you that data.
So what do you need to know?
One - the definition of personal data is expanded to include any data from which an individual can be identified, including their face (think developments in imaging for KYC and facial recognition software)
Two – there are six principles not eight, as per the Data Protection Act 2002, but the objectives are broadly the same
Three – it’s going to be all about the documentation – risk assessment for security of processing, internal policies to demonstrate compliance, the accountability factor (mentioned lots), records of processing activities etc
Four – an individual for which you process data (and that includes staff) will need to be told “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” what personal data you need, what you need it for, why you need it and how long you are going to keep it
Five – the aim of the GDPR is to put individuals in control of their own personal data and so existing rights are being enhanced and new rights introduced
Six – one of the most significant new rights is about the consent of the individual to the processing of their personal data. This consent must be freely given, specific, informed and unambiguous and be by a statement or clear affirmative action. It can’t be bundled into other agreements like Terms and Conditions and silence, pre-ticked boxes or inactivity will not be considered as consent
Seven – there are enhanced requirements if you use personal data for profiling. So if you collect personal data about an individual and then use it to market products or services to that individual, you will be required to give the individual specific information and they will have the right to object
I could go on (and on) but as there are some other key things to check out – data transfers, free access requests, right to rectification and erasure of data, breach notification, right to object etc – it might be best to contact me on sinead@dq.im to arrange a chat.