What is GDPR?
In 2012, the European Commission began a process to reform Europe's existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. GDPR was agreed and adopted in 2016 and took effect on 25 May 2018.
GDPR aims to make data protection regulations:
Updating EU data protection standards to make them more suitable for today's world
Remedying some of the perceived deficiencies of the current Data Protection Directive
Achieving a better, more harmonised standard of data protection throughout the EU
What does GDPR change?
GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.
What does GDPR mean?
Although GDPR might seem scary at first, many see it as a positive step forward for data protection.
Some of the key areas GDPR covers are:
- personal data about EU-based people (absolutely all of it)
This includes our customers, employees, suppliers and any other individual we collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
- how we collect personal data
We can only collect personal data if we have a legal reason to do so. We might need it for an applicationt, for example. In all cases, we must make it clear what the personal data will be used for – and only use it for that purpose.
- user contracts and terms and conditions (on websites, for example)
These need to be simple, clear and easy to understand – with no complicated legal text.
- the right to know
Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
- the right to erasure
People can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
- data portability
Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.
- data breach
We’re obliged to report certain types of data breach to the Information Commissioners Office.