Where Do You Stand?
Seeing as GDPR legistration comes into force in the next couple of days its very important to see where you stand and the steps you may need to become compliant.
First Things First – Understanding GDPR
It all seems very confusing at first and I have spoke to a handful of people on the subject and everyone seems to have their own take or ‘spin’ on what GDPR means they need.
And to be honest, the information out at the moment can be very vague when trying to get down to the specifics. The easiest way to begin to understand is to get familiar with the eight individual rights that are passed concering personal data.
The Eight Individual Rights Under GDPR
At the very center of GDPR there is eight specific rights that individuals are granted regarding their personal data and are as follows:
1. Right to be informed
2. Right of access
If a client requests their data, you must provide it to them in a commonly used format, such as CSV.
3. Right to rectification
You must allow a client to correct incomplete or inaccurate information.
4. Right to erasure
Clients can request deletion or removal of personal data when there is no compelling reason for its continued processing. Also referred to as “the right to be forgotten.”
5. Right to restrict processing
Individuals have the right to block processing of personal data. In such cases, you can store the data but no longer process it.
6. Right to portability
You must allow individuals to obtain and reuse their personal data for their own purposes. This means you must provide it to them in a common format, such as CSV.
7. Right to object
Individuals can object to having their personal information used. This includes for purposes of direct marketing, research and statistics.
8. Rights related to automatic decision making, including profiling
This rule specifies when you can use profiling and automated decision making. It also defines requirements that must be met, such as the individual providing explicit consent.
These rights are spelled out in further detail in the official GDPR guide.
Once you have started to get to grips with these eight rules, you have the basics down. But I’m afraid the road to GDPR mastery is not quite over yet my friends. To lead on from those points you must demonstrate that you’re implementing data protection as a standard procedure.
The road to GDPR mastery is not quite over yet my friends…
Security by design
To further comply with GDPR, You must demonstrate that you are implementing data protection ‘by design and by default’. Examples of this in the regulations are of designing databases to use encryption and/or pseudonymization. Its also mentioned of the importance to incorporate access control, so that the data is only view-able to people who actually need to access it.
pseudonymization -“a data management and de-identification procedure. Which involves data fields being scrambled and replaced by one or more artificial identifiers”
It is also required that you have clear plan and document procedure regarding potential data breaches. If a data breach poses a risk to individuals, it must be reported to the DPA within the following 72 hours.
For the UK, that means the ICO (Information Comissioner’s Office).
The affected individuals must also be notified.
Last but not least, GDPR requires you to provide evidence that you comply. Which simply means writing down your procedures for handling personal and sensitive data. This includes the data security methods you have in place for handling a data breach and that your data processing has a ‘lawful basis’ and record exactly what that is.
GDPR is still very new to us and the government. It is very likely that it will adapt and change over the coming months, as they find problems and loop holes with the current legislation.
But if you have any further questions, please feel free to leave a message here on this post or alternatively you email me on: Sam@sps-creativedesign.co.uk