The General Data Protection Regulation (GDPR) came into force on 25 May 2018. The objective behind this European regulation was to modernise laws due to rapid technological changes in order to protect the personal information of individuals and to harmonise data privacy laws across Europe. The GDPR gives greater protection and control to individuals over their information and transforms the way organisations handle information from their customers and employees.
Processing of data covers anything one does with personal data, including holding or storing it either electronically or manually. It is essential that any business that processes personal data about EU citizens complies with the GDPR.
The GDPR outlines six principles that companies or service providers using customers’ personal data must follow for good data protection practice, namely:
When collecting data, organisations must ensure that the processing is legitimate. Data subjects have a right to know how and why their data is being collected and used. This ensures a good company-customer relationship and reduces the risk of complaints and/or requests from data subjects.
Any organisation must ensure that data is collected for ‘specified, explicit and legitimate’ purposes, limiting processing to the data required and therefore, data collected for one purpose may not be used also for a totally different purpose.
The principle of minimisation requires businesses to make sure that the data processed for a specific purpose is kept to the minimum. Ensuring that processed data is not excessive reduces the risk of complaints by data subjects whilst limiting the need to carry out further exercises to get rid of unnecessary data.
The GDPR stresses that organisations are obliged to ensure that any data which is inaccurate or incomplete is either set right or destroyed. Data subjects may also request to have their data revised whilst organisations must ensure to make ends meet with such demands without any unnecessary delay.
Having adequate retention policies and disposal mechanisms in place facilitates the smooth running of the business while ensuring compliance. Storage of data, even in archives, constitutes data processing. This means that data subjects’ rights and controllers’ obligations remain applicable even when the business stops to actively make use of the data.
Organisations must ensure that data collected is secured in order to ensure lawful and authorised processing, while protecting against accidental loss, destruction or disclosure. Therefore, organisations must use appropriate ‘technical or organisational measures’. Unsecure data can cause immense damage to an organisation if data is stolen or disclosed to third parties. A data breach leads to considerable obligations to investigate, report and remediate. It may also result in significant penalties.
Your organisation may be just getting started - or may already have a GDPR programme in place. We can help you make the best of this regulation, regardless of where you are on your GDPR journey. Here is how our team can help you with: