Bulwark Safety Solutions Ltd -
bulwarksafety.co.uk © 2020 Copyright
designed by studio164 -
Practical advice on Health & Safety
t: 07428 220555 e: firstname.lastname@example.org
The General Data Protection Regulation (GDPR) is an EU regulation designed to restrict what organisations can do with European Residents personal data. Despite all the recent publicity concerning it, the GDPR originally came into force over two years ago, the 24th May 2016. With the 25th May 2018 relevant because this was when the provisions became direct applicable to all EU member states.
The GDPR gives EU residents very strong rights over what data can be collected, stored and processed on them. With massive possible fines for organisations that break the regulation (up to €20million or 4% of an organisations’ annual turnover) there is a very strong incentive to make sure businesses comply.
Personal data is described as information that can be used to identify an individual, it can consist of the obvious, name, address, National Insurance number, ETC. to things like computer IP addresses, Phone IMEI, CCTV images, Cookies, telephone recordings, digital assistants and so on.
The rights accorded in the GDPR include, Access, Portability, Erasure, Correction and Control.
Some of the criticism levelled at the GDPR is that it increases the administrative burden on an organisation and can appear vague in some respects.
Organisations may be required to:
Appoint a Data Protection Officer. This person is the first point of contact for dealing any queries concerning the organisations data, they could also be legally responsible for the data under their control.
Publish a Data Policy. This can set out, among other things, what data is collected, how it is collected, what the data will be used for, how it will be processed, how long it will be kept, etc.
Increase Data Security. Make it difficult for unauthorised people to gain access to the data. This can include physical and software controls.
Anonymisation or pseudonymisation, removes data that allows the subject to be identified.
Reduce the data collected. If the data collected is not immediately relevant, then it must not be collected. Data must be deleted when it is no longer required.
Keep data accurate. If information is found to be inaccurate, it must be corrected as soon as possible
Comply with information requests. Data subjects have the right to a copy of the data held on them. The organisation may be able to charge a reasonable fee.
Inform of any data breaches. The data controller is legally required to inform both the individuals involved and the supervising authority, within 72 hours of discovery, if any unauthorised access has occurred.
Regularly audit the data stored. Ensuring the data stored is relevant and accurate, any that is not should be corrected or deleted.