Do you know GDPR is a new comprehensive data protection law effective from May 25, 2018? Does this law strengthen the protection of personal data? Yes, it does and enacted to protect users and visitors, on and offline. It is so because of modernisation, rapid technological advancements and more complex cross border data flow. It provides more power to the individuals whose personal information is being processed. This is an update and replaces the data protection laws currently in place with a single set of rules, directly enforceable in the UK and each EU member state.
What does it regulate?
Besides strengthening and standardising user data privacy across the UK and EU nations, it will require new or additional obligations and liabilities on data controllers and data processors. GDPR focuses on lawful processing of data, providing transparency to the data subjects regarding processing activities performed on their data, keeping data accurate, restrictions on marketing activities, processing involving automated profiling of personal data and disclosing personal data to another party only after ensuring proper technical and organisational measures.
What counts as personal data under the GDPR?
The UK/EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now being collected about people, online identifiers such as IP addresses, cookies, sensitive data such as a person’s caste, health records, and criminal records now qualify as personal data. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
What does GDPR Readiness entail?
Data: Govern and ensure the quality of data, assess what data is in use, its purpose. This is crucial for offering transparency and trust which is demanded from GDPR.
Governance: Translate it into actions, norms and values. Consider effective measures which need to be taken.
Security: Protection of the fundamental privacy rights by protecting the security and confidentiality of Personal Data. For e.g. this entails providing proper use, notice, consent, choice, access, rectification and erasure.
People, Processes and Communications:
Train employees on GDPR requirements. Employees need to understand the risks and impact of improper data use. Identify the impact on processes and what changes may be required.
Do your part to protect data entrusted to you or face the consequences. For any further queries, please contact us.