GRPR Countdown - May 25th 2018
The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive.
It is imperative that key personnel in your organisation are aware that the law is changing to the GDPR, and start to factor this into their future planning. They should start to identify areas that could cause compliance problems under the GDPR.
Are You A Data Controller?
In essence, you are a data controller if you can answer YES to the following question: Do you keep or process any information about living people?
Your Legal Responsibilities
You have certain key responsibilities in relation to the information which you keep on computer or in a structured manual file about individuals.
Safe & Secure
The security of personal information is all-important. It will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity.
Time is Critical
This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained.
Fair Obtaining and Processing
This is the fundamental principle of data protection. If your organisation wishes to keep personal information about people on computer, then you must collect the information fairly, and you must process (or use) the information fairly.
Specifying the Purpose
You may not keep information about people unless it is held for a specific, lawful and clearly stated purpose. It is therefore unlawful to collect information about people routinely and indiscriminately, without having a sound, clear and legitimate purpose for so doing.
Keep it Accurate and Up-to-Date
You must ensure that the personal information you keep is accurate and up-to-date. Apart from ensuring compliance with the Acts, this requirement has an additional importance in that you may be liable to an individual for damages if you fail to observe the duty of care provision in the Act applying to the handling of personal data.
Adequate, Relevant and Not Excessive
The personal data you keep should be enough to enable you to achieve your purpose, and no more. You have no business collecting or keeping personal information that you do not need, “just in case” a use can be found for the data in the future. You should not ask intrusive or personal questions, if the information obtained in this way has no bearing on the specified purpose for which you hold personal data.
Retain it no Longer than is Necessary
Nowadays information can be kept cheaply and effectively on computer. This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. If there is no good reason for retaining personal information, then that information should be routinely deleted. Information should never be kept “just in case” a use can be found for it in the future.
Give a Copy of His/Her Personal Data to any Individual, on Request
You are also obliged to explain to the data subject the logic used in any automated decision making process where the decision significantly affects the individual and the decision is solely based on the automated process.