Everyone knows the importance of keeping up to date with the latest government regulations for data protection and with GDPR it’s something you need to start thinking about right now.
It is vital for businesses to ensure they are fully aware of the security requirements needed when handling customers’ data, in order to guarantee you are operating within the law and are providing the best service possible.
With changes afoot to data protection regulations, don’t get left behind and stay in the loop with this useful summary…
GDPR set date
As of 25th May 2018, the General Data Protection Regulation (GDPR) comes into force, bringing forth new guidelines that build upon the 1998 UK Data Protection Act (DPA).
Whilst retaining many similarities with this earlier act, there are also some important differences to be made aware of, making it essential that those in a position of responsibility for data protection should be made aware of.
To help assist with keeping in the loop with the new regulations, here is a brief summary of some of the key points to be aware of for when the General Data Protection Regulation is set in place, helping you remain ahead of the game and within the law when handling customer data.
Processor and controller compliance
To clarify, the GDPR applies to broadly the same facilitators as with the DPA, namely ‘controllers’ and ‘processors’; those who are in control of how and why personal data is processed (controllers) and those who are responsible for acting on their behalf and completing the processing (processors).
As a processor, it is your responsibility to keep complete records of personal data and how it is being processed. This is a new legal obligation applying to processors, making them liable if these responsibilities are not met. As controller, these new requirements do not absolve a controller’s responsibility as there are further requirements directed towards the controller that they must comply with in order to ensure the contracts completed by the processor comply with GDPR law.
The GDPR will apply to all businesses and corporations who conduct their operations within the EU, as well as those who are outside of the EU that offer services to those who are part of the EU.
In general, any instance of action that utilises personal data must comply with GDPR regulations although there are some exceptions. It does not include activities that are under regulation by the Law Enforcement Directive, for example, processing that falls under the remit of national security purposes, as well as processing that is conducted solely for personal activities.
What exactly is defined as personal data by the GDPR?
The forthcoming GDPR guidelines follow a similar definition as the DPA in regards to what constitutes personal data. The change to the definition does not make a significant difference to that which is laid out in the DPA: the same rules will still apply to the majority of personal data records.
However, the GDPR expands the definition to include things that can be considered as online identifiers, such as IP addresses. A wider range of personal identifiers is now included, reflecting the greater change towards digital technology and data. This is also applied to automated personal data as well as manual filing systems.
What constitutes as ‘sensitive personal data’ has also grown wider to include genetic data and biometric data, which can be processed to uniquely identify an individual. Items such as criminal convictions are not included in this definition, although there are still safeguards present when dealing with this type of data.
Under the GDPR, you must provide a legal basis as to what the conditions are that requires the data processing. This must be recorded and documented before processing the data.
This becomes of greater importance with the new regulations, as the conditions under which the data is processed must be considered in relation to the individual’s rights.
Ultimately this narrows down to an issue of consent; individuals have greater rights over how their personal data is used if businesses are required to gain consent before processing.
The GDPR offers a distinction between ‘consent’ and ‘explicit consent.’ This is not clearly defined although consent requires clear, affirmative action. This renders situations such as inactivity and pre-ticked boxes as not occasions that confirm consent to the use of their personal data.
Additionally, individuals have the right to withdraw their consent at any time they so desire. You must also be able to provide evidence that consent has been given, and therefore you must keep a record of when this is confirmed.
There are a number of specific processing conditions under the GDPR which are important to be aware in order to ensure you do not infringe upon any individual’s rights. It would therefore be a sensible idea to conduct a review of your data protection practices in order to make sure that consent mechanisms are up to date with the new regulations.
There are also new provisions in place for the processing of children’s personal data that are important to be made aware of. Most significantly, you must gain the consent of parents/guardians before processing children aged 16 and under’s data.
Overall, the GDPR makes extra efforts to protect children’s personal data, especially when it is used for marketing purposes and on social networking sites.
These are just some of the key areas to consider in regards to the forthcoming changes brought about by the General Data Protection Regulation.
It is vitally important that you ensure that your business is aware of the new regulations about to be implemented in order to avoid breaching the rights of individuals and not practising within the legal parameters.
Whilst a number of procedures remain similar to the DPA, it would be pertinent to be aware of all developments in order to conduct your data protection policies effectively.
The Information Commissioner’s Office (ICO) website is a particularly useful resource for learning about the GDPR changes and should be consulted in detail before the new regulations are implemented in May 2018.
At Instiller, we are dedicated to ensuring our data protection practices meet all current legal requirements to the highest standard, thus ensuring your email marketing solutions are in safe hands.