Stuart is out of the office (doing The Recruitment & Employment Confederation GDPR Training). For now, at least, I’m in charge. So, if, like me, you’re not particularly inspired when it comes to all things compliance, risk and regulation, perhaps you’ve also left the GDPR stuff to someone else. Sometimes though, when no-one is looking, we just need to grit our teeth and make sure we’ve at least grasped the basics.
In summary – what data have you got and where do you store it?
In marginally more detail (take a deep breath, I’m afraid there are 15 points) –
1. General Data Protection Regulation. That’s the acronym demystified.
2. The last set of rules were written in 1995. A lot has changed since then, like, for example, the internet. We now live in a world of free-flowing data.
3. And that data – which belongs to you, me and everyone else that supplies their personal information to third parties – needs to be protected.
4. This is an interesting point – the GDPR is specific to EU citizens *chooses to ignore Brexit situation*.
Example I: A Spanish organisation processing data in India will still be subject to the GDPR rules (if you’re an EU firm – you’re in, regardless of where the data handling takes place)
Example II: You live in France and a Chinese firm you engage with requires your data, then the Chinese firm is also subject to the GDPR (if you have an EU client – you’re in, regardless of where the processing firm is located)
5. Fines for breaking the rules will be tiered but can be whopping – up to 4% of annual global turnover or €20m, whichever is greater. Ouch.
6. Organisations must clearly ask for consent and make clear their intent for the data they hold. It must be just as easy to withdraw consent as it is to give it.
7. Notification of a breach will become compulsory where it is likely to “result in a risk for the rights and freedoms of individuals”. There are strict deadlines.
8. Everyone will be able to ask whoever is holding their data where it is being held and what for.
9. Furthermore, electronic copies of the data being held can be requested. For free.
10. Data Erasure: aka the right to be forgotten. Those holding data must be able to erase, stop further distribution and potentially stop any third-party processing of that data at the data owners request.
11. Portability. Individuals will be able to request the movement of their data from one party to another.
12. Organisations should only ask for the data that they need to carry out their function on your behalf and should limit access to that data.
13. Systems should be designed to protect data, not designed with a data protection bolt on.
14. There will be some internal record keeping changes and some organisations will require a Data Protection Officer.
15. GDPR doesn't just apply to your clients' or business connections' data. It also applies to how you handle your employees' data. See here for a good article on it.
Thankfully Stuart is considerably more informed than me, so Skilling Gate will be GDPR compliant. The above is simply a high-level overview – my interpretation of the basics. It certainly isn’t comprehensive, so if you’d like more than a very basic summary go here: www.eugdpr.org.
0117 428 6388
07711 622 676
Skilling Gate Group Limited
St Nicholas House
31-34 High Street
Bristol BS1 2AW