On 25 May 2018 the EU General Data Protection Regulations (GDPR) come in to force, protecting and strengthening data protection both within the EU and covering the export of personal data outside the EU.
These changes will mean that businesses, both small and large, will need to ensure that they are aware of their new responsibilities and are fully compliant in order to avoid large fines. On the plus side it will mean that you’ll stop getting all those marketing emails clogging up your inbox!
This blog explains the main rules and what the new GDPR will mean for you as a planner.
The new GDPR will be enforced from May 2018 and replaces the EU’s Data Protection Directive of 1995. The main additions involve giving an individual more power over the data held about them, clearly stated obligations for companies, and a new set of fines.
Alongside the EU GDPR the UK government will also be implementing a new Data Protection Bill to replace the Data Protection Act of 1998 – this means that even when we leave the EU there will be little difference between UK and EU law.
What is ‘personal data’?
The ICO definition of what counts as personal data is any information that relates to or that could allow you to identify an individual, such as a membership number, address or bank details. There is also a sub-category of ‘Sensitive Personal Data’ which includes items such as health records, political and religious beliefs, and racial or ethnic origin.
There are a two broad parts to the new GDPR; requirements for a business and rights for an individual.
The following rules apply to those who hold an individual’s personal data (taken from Article 5 of the GDPR):
- Explicit stating of the specific purpose of holding the data
- Limited data being held - only what is relevant
- Data must be accurate and kept up to date
- Data must be kept for no longer than necessary
- Processing should occur in a secure manner
The regulations provide the following rights for individuals:
- To be informed
- To free access
- To rectify
- To erasure
- To restrict processing
- To object
Transparency and accountability are also big features of the new regulations, as is the need to be able to document and demonstrate compliance.
We are unable to provide any direct advice for members as we are not indemnified to provide legal advice but would suggest members use the further reading section for more information.
To help businesses prepare for the implementation of the GDPR the ICO has created a 12-step guide that covers what you need to do now.
In Ireland, the regulator has also setup a separate website explaining what should change within companies.
As well as this guidance, the ICO has a phone service to help small businesses prepare for GDPR.
The full regulation (It's 88 pages long and has 99 articles).
The ICO's guide to GDPR is essential for both consumers and those working within businesses.
EU GDPR is the European Union's official website for the regulation.
Berenice Seel (Data Protection Officer)
Berenice Seel is the RTPI's Data Protection Officer.