Organisations that operate within the UK and provide products or services the public will be aware of the UK Data Protection Act 1998. From the 25th May 2018, the European Union will enforce GDPR (General Data Protection Regulation) in addition to the existing data protection framework that already exists.
With sharing personal information being essential when it comes to transactions with companies, these laws are set to focus on protecting the data given out within the EU. Businesses which operate externally to the European Union, but sell goods and services to the EU, will also have to follow this legislation.
As Britain decided to leave the EU with a referendum, there is no doubt that this act will still be imposed within the UK with the support of the UK government.
The relationship between GDPR and businesses
GDPR has influence on any kind of business that puts them in a position where they start handling personal data. Defined within this legislation, there are two types of operative defined within this law: controllers and processors.
It is important that processors, those who have access to this information, remain within the guidelines and avoid compromising the individual and the data that they are handling. However, processors will be under significantly more legal liability if they are responsible for a data breach.
Using a payroll company as an example, a processor acts on behalf of the controller and makes sure that the information is being handled correctly and is being passed to the right people – a controller determines why someone’s data is being used.
Is my personal information being covered?
KBR, experts in digital networking solutions and security, found that an individual’s personal data such medical records, contact and bank details are protected by the GDPR. However, the GDPR has taken the definition of personal data a step further; now, information such as a computer IP address is personal data. This is to ensure that users are protected online, and that individuals cannot be located by using a personal computer device, while protecting the data that users input online from malicious software that seeks to access personal information via an IP address.
Should businesses and organisations revise their data protection policy?
It is important that businesses regularly review their protection policy to make sure they are still within the guidelines that are set out in regard to the legislation. However, because existing legislation exists to protect sensitive personal information, most organisations should already be protecting personal information in the appropriate way.
The rights regarding personal information
Individuals have rights that companies must understand when dealing with personal information. These rights cover a variety of situations and should act as a guideline when information is processed on an individual’s behalf. Rights for individuals regarding their personal information shared by organisations are as follows:
- The right to be informed. To individuals, information regarding how personal data is processed should be written when requested in the form of a privacy note, which emphasises the need for transparency regarding the way how personal data is used.
- The right of access. Individuals have the right to be notified that their data is being processed, while gaining access to their personal data alongside other supplementary information – included within a privacy notice.
- The right to rectification. If personal data is incorrect or inaccurate, then individuals are entitled to request that this information be rectified. Third parties must also be informed so that they can make rectifications in the information that has been passed on.
- The right to erasure. If personal data is no longer required by an organisation, or the information does not need to be possessed, then an individual has the right to request that this information be forgotten.
- The right to restrict processing. Individuals can restrict the right of organisations to process data. This personal data can be stored, but it cannot be processed once it has been stored.
- Data portability. Without hindrance, individuals are entitled to use their own personal data stored by an organisation and distribute freely across one IT system or environment to another safely and securely.
- The right to object. If personal data is being processed for purposes such as profiling, direct marketing or scientific and historical research and statistics, then individuals have the right to object to such activities.
- Automated decision making. If organisations use personal data within automated systems that negate the need for human decision making, then GDPR safeguards individuals from any damaging effects incurred through this process when data is handled. Therefore, decisions made regarding personal information should always be challenged by human intervention to ensure that personal data is always processed safely.