General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation, better known as GDPR, became law in the UK on 25th May 2018. It’s the biggest shake up in data protection and the way companies hold personal information in 30 years and it supersedes the existing Data Protection act.

So, why change? Well, the way private information is held has changed beyond comprehension since the late 1980s. First and foremost, social media and remote devices such as smartphones and tablets were not around; email did not exist; and of course, computers had neither the capacity or the sophistication of today. The written word was more commonly held in paper files and only sent electronically via telex or fax.

These days, many companies hold online or cloud-based databases and relay information over the above channels. Keeping data secure from would-be hackers is not easy and keeping on top of viruses is a continual challenge for tech giants.

GDPR is the reason many of us have received emails from companies we’d almost forgotten we dealt with, along with those whose services we use regularly, asking if we want to ‘stay in touch’. Some even offer incentives to do so.

All companies within the EU must demonstrate that they have a legitimate reason for holding personal data and that they have the holder’s permission to keep it. In addition, they can only retain it for a reasonable period of time. It must be kept securely and it has to be relevant to the purpose it was obtained for. In addition, it must be kept up to date, accurate and processed within the remit of the law, with fairness and transparency. All staff need to be trained on how to adhere to these, and other, rules. The rules will continue to apply to the UK should the country leave the EU as planned next year.

What is deemed personal data then? Well broadly your name, your postal address, your email address, your photo, your IP address, location data, online behaviour (cookies) and profiling and analytics data. Also, groupings known as special categories, including race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data and genetic data.

A company must be able to prove it has consent on file and the individual can remove consent at any time. All consent requests must be explained in plain language and companies cannot ‘pre-tick’ boxes as they were previously able to do under the old rules. Consent for children under 13 must be provided by their parents.

As an individual, you have the right to access and view what information companies hold on you and you can ask for it to be corrected if inaccurate. You can also object to it and have it erased. You can also transfer it to another organisation if you wish.

GDPR is unquestionably a game-changer in the area of data protection. And it certainly looks set to stay.

June 2018