From 25 May 2018 GDPR (General Data Protection Regulations) will be in force throughout the EU and the UK Government has confirmed that it will comply regardless of the decision to leave the EU.
The GDPR is designed to improve consistency in protecting and strengthening consumers’ rights over their personal data, although work is continuing on refining the regulations.
Many organisations collect and keep personal information for a range of legitimate purposes, from use in targeted business marketing, to records kept by organisations providing health and other services and also for research.
But rarely a week passes without news of yet another organisation’s customer database being invaded or “hacked”.
Any business or organisation that collects information from people who either work for or use its services has a duty to ensure it is stored securely and safely.
When the new regulations come into force both businesses and those who process digital records for them will now be accountable. They will have to document decisions that are made about processing the data that has been collected. This means showing that the data has been lawfully collected for specified and legitimate purposes, and that the details of what has been collected are specific and limited to those purposes.
Crucially the information must be protected and held securely and must be stored for no longer than required.
Any organisation or business that keeps lists containing people’s personal data will need to look at their data collection, storage and processing systems to be ready in time for the new regulations. They must ensure they have proper permissions for collecting and holding personal information and can verify this. Silence or pre-ticked boxes are not proper consent.
They must also give individuals a right of access to and correction of the information being held, the right to its removal and to restricting it and the right to object. So, they will need to put in place acceptable governance to ensure all these rights are acted on, on request and in a timely manner.
Opt-outs from the regulations, known as derogation, will be allowed only in some situations – such as for national security reasons.