After four years of preparation and debate the EU General Data Protection Regulation (GDPR) was finally approved by the EU Parliament on 14 April 2016. It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
The bar on protection of personal data has been raised and there will be severe penalties for non-compliance. Very few bodies do not store personal data of some description so this is legislation that affects us all. It’s important you are aware of what this means for your organisation.
Hopefully the following list of questions and answers will help you take your first steps to becoming GDPR compliant.
What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It’s designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. It will replace the current Data Protection Act.
When will it be enforced?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.
I work in children’s services. Why does this affect me?
Any institution which gathers data for private citizens has a duty of care to protect that data. If you or the organisation you work for records data for children or their parents then you need to understand the implications of GDPR.
Why is it being introduced?
It is an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
Does this just refer to electronic data?
No. It refers to all sources of personal data, such as folders in filing cabinets, CCTV, spreadsheets, ID cards and so on. It impacts any data you hold on staff, visitors, vendors, or those to whom you provide services. You already have a duty of care to ensure that this data is kept safe and secure. With the GDPR, there is increased responsibility, and accountability, to ensure this information – regardless of what form it’s kept in – is managed in the right way.
What data is affected by GDPR?
All personal data. This is not just about fundraising or marketing. GDPR embraces anything that involves processing an individual’s personal data, from whatever source, for whatever reason.
What is “Privacy by Design”?
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition. More specifically - 'The Data Controller shall ... implement appropriate technical and organisational measures ... in an effective way ... in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for Data Controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Part 2 tomorrow.