GDPR gives EU citizens new rights
1. The right of access
GDPR gives EU citizens the right to know the details of any personal data you hold about them and how that data is processed and used. As an organisation, you are obliged to provide this information on request.
2. The right to be forgotten
People also have the right to be forgotten. This means that if a person requests it, you will be required to cease the processing of any data you hold about them and delete it.
3. The right to data portability
If you hold data about anyone, they can now ask for that data to be passed to another organisation. This can make things like passing on ‘no claims’ histories from one insurer to another, much easier. However, it also means that customers can use the records you hold about them to get better deals from your competitors.
4. The right to be informed about data breaches
Some organisations have kept serious data breaches secret for months in order to protect them from bad publicity and other unwanted consequences. Now, customers have to be legally informed within 72 hours. You must also inform any supervising bodies.
5. The right to data correction
Under GDPR, any data you hold about an individual must be accurate. If it isn’t, they have the right to demand it is corrected.
Range of data to be protected
Here is the range of data which you will be required to protect under GPDR.
6. Identifying data
Any information that can be used to identify an individual comes under the protection of GDPR, this includes information such as their name, address or National Insurance number as well as things like CCTV footage, car registration numbers and RFID chip data.
7. Web data
GDPR also requires the safeguarding of web data. This includes details of an individual’s location, their IP addresses and any cookie data.
8. Demographic information
If you collect any information that classifies individuals, this too comes under the protection of the new regulation. This includes data about gender, race, ethnicity, disability and sexual orientation.
9. Health, genetic and biometric data
Health, genetic and biometric data has become problematic over the last few years. Insurance companies, for example, can use this information as a basis for setting the costs of health insurance. And as biometric data is increasingly used for authentication, keeping it secure is absolutely crucial. For this reason, it too, is included in the data protected by GDPR.
10. Political affiliations
While many people aren’t too secretive about who they vote for or which political party they support, plenty of others are. If you hold data about political affiliations, whether that is their membership of a particular party or just a political opinion gathered on a survey, it needs protection under the GDPR.
Greater security demands on business
GDPR also brings in tougher data protection regulations for all organisations that collect and process personal data.
11. Data protection by design
From May, organisations will be required to implement reasonable data protection measures to protect EU citizens’ personal data and privacy by design. ‘By design’ means that end to end measures need to be planned and put in place so that everything from the collection of data all the way to its safe deletion is taken into account. Part of this includes the requirement for organisations to undertake a data protection impact assessment in order to identify risks to data and outline measures to ensure those risks are addressed.
12. Creating a Data Protection Officer role
Any organisation that processes or stores sensitive data, significant amounts of personal data, or regularly monitors data subjects must create a Data Protection Officer (DPO) role within their organisation. This individual will have responsibility for overseeing data protection, privacy and GDPR compliance. All public authorities (police forces, local councils, government organisations, etc.) must also have a DPO.
13. GDPR extends beyond the EU
GDPR is designed to protect the data and privacy of EU citizens. This means any organisation that holds data on EU citizens is required to comply with the regulation, whether based in the EU or not. This will have an impact on companies like Google, eBay and Amazon that collect web data from users in the EU. It will also affect many smaller international companies that trade in the EU, for example, app-based companies, game providers and online retailers.
14. GDPR will continue after Brexit
The UK has always played a leading role in protecting data. The UK’s Data Protection Act was passed in 1984, 11 years before the EU got around to issuing its Data Protection Directive in 1995. The UK government is committed to ensuring that the rights and responsibilities enshrined in GDPR are maintained after we leave the EU.
15. Big fines for non-compliance
The size of the fines which can be given to organisations that do not comply with GDPR is an indication of how determined the EU is to tackle issues with data protection and data privacy. From May, the maximum fine will be €20 million or 4% of an organisation’s annual global turnover, whichever is higher. This can be levied for failing to adhere to core principles of data processing, infringement of personal rights, or for transferring personal data to other countries or organisations that do not ensure an adequate level of data protection.
The issue of transferring data to countries or organisations with less adequate data protection should be a major concern for any company that has a website. If your web host has data centres outside of the EU, it is possible that the information you collect could be stored on less secure servers without your knowledge – and this could mean you are unwittingly breaching GDPR compliance. The same applies if your web host does not provide adequate security even if it is within the EU.