What GDPR means for companies
The General Data Protection Regulation (GDPR) came into effect in May 2018. It regulates the use of personal data (data relating to any identifiable, living person) across the EU. Not only does GDPR apply to companies operating within the EU, but also to companies who provide goods or services to organisations/individuals within the EU. The GDPR has modernised digital data protection, increased transparency, and extended the rights of the individual. The UK implementation of the GDPR is known as the Data Protection Act 2018, for which the Information Commissioner's Office (ICO) is responsible for enforcing compliance.
Main GDPR Principles:
The cornerstones of the GDPR are the principles listed below:
- Lawfulness, transparency and fairness
- Use limited to the purpose for which it was obtained
- Data minimisation
- Limitations on storage
- Confidentiality and integrity
Data subjects are persons whose personal data is gathered, stored, and processed. Once data is gathered about a subject, it is then out of their control. This is why GDPR has extended the reach of data protection rights for the individual; these are as follows:
- The right to access
- The right to correction
- The right to erasure
- The right to processing information
- The right to processing restriction
- The right to data portability
- The right to object to automated individual decision-making and profiling
How Will GDPR Affect Your Company?
A Data Protection Officer (DPO) is an external individual, removed from the daily processes of your company, who is responsible for ensuring GDPR compliance. Not all companies are required to appoint a DPO, however all are at liberty to do so. You are required to employ a DPO in the following circumstances:
- You are a public authority
- Your core activities require regular, large scale monitoring of individuals
- Your core activities require large scale processing of special category data or data relating to criminal convictions/offences
Small and medium-sized enterprises (SMEs) are companies with less than 250 employees and, unlike larger organisations, they are not required to document all of their processing activities. The activities that require documentation are as follows: regular activities, activities that could risk the rights/freedoms of an individual, special category data processing, processing of data regarding criminal offences/convictions.
Special Category Data
Sectors that handle special category data, such as healthcare groups, legal firms, and religious organisations have come under close scrutiny following the launch of GDPR. Special category data is a type of personal data which is highly sensitive and subject to additional restrictions. Such data includes: health information, race, religious beliefs, political opinions and biometric data. Organisations that process this data must have an additional condition allowing them to process it, e.g. explicit consent.
Importance of GDPR for Your Company
GDPR compliance is vital within your company as the dire alternative is a data breach, with massive consequences for your organisation and its data subjects. Good GDPR practices, on the other hand, can give you a competitive advantage, enabling well-founded trust in your company for both your customers and your employees. Additionally, you will ensure the security of your company, which is more crucial than ever due to an increasing prevalence of data breaches. Data protection training is crucial in ensuring compliance and protecting your company.