On May 25th 2018, the new EU General Data Protection Regulation (GDPR) will come into play, replacing the current Data Protection Act. The new law impacts anyone based within the EU, along with any organisation which has customers based in the EU, it is also expected that the United Kingdom will move GDPR into UK laws during the Brexit transition. The application of the law to any outlet which processes the data of a person based within Europe essentially makes GDPR a global policy.
Although the EU GDPR laws require changes to many organisations data management processes, GDPR also needs ongoing maintenance, making it something which should be integral in business strategy – especially with a mindset around data management in marketing and communications. The ICO have been very keen to re-iterate that it is not a race to be ready for May 25th, but an ongoing process which needs thorough plans and processes putting into place.
There are many articles circulating surrounding GDPR which may leave some organisations confused or scared but one of the main points to remember is if you are already compliant with the current Data Protection Act, you just need to take your data handling to a new level. If, on the other hand, you aren't 100% sure that you are DPA compliant, you may need to make some larger changes. In either instance, GDPR does require several actions to be put in place prior to May 25th.
Organisations should not worry that going forward they are unable to process data; of course, this is something which needs to be done day to day for the efficient running of practically every business, the key with the General Data Protection Regulation is that all data processing is done so under a 'valid lawful basis'. Taking this into consideration, there are six bases for the processing of data;
- Consent – able to provide evidence that an individual has agreed to process data for a specific purpose.
- Contract – the processing of data is necessary for the undertaking of a contract, or has been agreed is required for the creation of a contract under pre-contract discussions.
- Legal Obligation – this data processing is necessary to comply with the law, and without it would be a breach of the law.
- Vital Interest – vital interest means that this data processing is necessary to protect life.
- Public Task – based upon a clear legal requirement, this data processing is necessary to perform a task of public interest or an official function.
- Legitimate Interest – this data processing is necessary for your business interest or that of a third party, however, this requirement does not outweigh the individuals freedom and rights – which must always come first.
Another key aspect within GDPR surrounds the rights of the individual which the data belongs to, which organisations need to remember an act up;
- The right to be informed
- The right to erase
- The right of access
- The right of rectification
- The right to object (including objecting to digital marketing)
- The right to restrict processing
- The right to data portability
- Rights surrounding automated decision making and profiling
Prior to the introduction of the new EU General Data Protection Regulation, it is important to ensure that all of the practices and processes which you have in place surrounding data are fully compliant with GDPR. This may include tasks such as data cleansing, internal training and process reviews. We highly recommend that if you have not begun steps to ensuring that your organisation is compliant, that you begin these as soon as possible.
At Wool Digital, we are a team of data enthusiasts and are fully equip to support you on your journey to ensuring that you are fully compliant with EU GDPR – if you would like to hear more about the new laws, drop us a line on firstname.lastname@example.org or give us a call on 0161 635 0045.