Understanding the General Data Protection Regulation (GDPR)

Today’s world vastly differs from when data protection laws were implemented around 20 years ago. With the rise of smartphones, tablets, laptops, and personal computers, there has been a significant increase in digital information being created, captured, and stored. The existing data protection laws have become inadequate, leaving too many opportunities for data misuse.

The GDPR is a new set of laws designed to regulate better how businesses handle sensitive personal data. It governs how companies communicate, store, and use customer information, applying to any business associated with a European member state.

Unlike its predecessors, the GDPR is a regulation, not a directive.

Directives outline goals, but their interpretation can vary from country to country. However, a regulation is a binding legal agreement with severe penalties for non-compliance. All countries must follow one set of rules without any exceptions.

Brexit has no impact on GDPR’s implementation. Even after leaving the EU, UK businesses with European contacts or subscribers must adhere to the GDPR or face consequences. The Information Commissioner’s Office will enforce the GDPR in the UK. The UK will also implement a new Data Protection Bill, including all GDPR provisions with minor alterations. The rules will be the same for businesses in any EU member state.

The upcoming Data Protection Bill will incorporate nearly all GDPR provisions, with minor changes to protect specific groups like researchers, anti-doping agencies, and journalists. Although the bill is still under review and subject to amendments, it will replace the existing data protection laws and come into full effect once passed.

The GDPR affects any business responsible for controlling or processing personal data, covering any data that can identify an individual. Essentially, any information about a person your business acquires falls under the regulation. This data is categorised into two types: personal and sensitive.

This includes, but is not limited to:

Personal Information:

• Name
• Social Media ID
• Residential and IP Address
• Telephone Number
• Email Address

Sensitive Information:

• Genetic Data
• Religious Views
• Political Views
• Sexual Orientation
• Medical History

Additionally, pseudonymised data is covered if the pseudonym can identify the individual.

The GDPR places a greater emphasis on transparency between businesses and their customers. Here are some fundamental changes:

• Customers can quickly know what information a company holds about them.
• Companies must clearly outline and obtain the necessary consent for processing personal information and must be able to prove that permission has been given.
• New fines ensure severe consequences for non-compliance with the GDPR.

Individual Rights Under GDPR

The GDPR introduces several new rights for individuals:

• Right to Deletion: Individuals can request the deletion of all their data.
• Right to Opt-Out: Individuals can opt out of having specific data used.
• Right to Completion: Individuals can have incomplete data completed.
• Right to Information: Individuals have the right to know what data is being processed and how.
• Right to Data Portability: Individuals can move data from one organisation to another without issue.

Personal data includes anything that can be used to identify an individual, even a social media ID. This information must be obtained and processed only with the individual’s permission, which should be clearly stated in your terms and conditions.

Businesses are now more accountable for handling personal information. They must adhere to several stringent requirements to remain compliant with the GDPR:

• Data Protection Policies and Impact Assessments: Companies must maintain detailed documentation on data protection measures, including impact assessments for new data processing activities.
• Data Breach Reporting: Any situation involving the destruction, loss, alteration, unauthorised disclosure of, or access to personal data must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. This includes breaches that could harm individuals, such as financial loss or breach of confidentiality.
• Record Keeping: Companies with more than 250 employees must keep comprehensive records on why information is collected and processed. This includes descriptions of the information, retention periods, and security measures implemented to protect the data.
• Data Protection Officer (DPO): Larger companies or those engaged in regular and systematic monitoring must appoint a DPO. The DPO acts as a point of contact for employees, ensures GDPR compliance, and reports to senior management.

Individual Access to Personal Data

Under GDPR, the process for individuals to access their data has been simplified:

• Subject Access Requests (SARs): The £10 fee previously associated with SARs has been scrapped. Companies must provide the requested information free of charge within one month.
• Right to Erasure: Individuals can request the deletion of their data if consent is withdrawn, the data was unlawfully processed, or it is no longer relevant.
• Right to Explanation: Individuals have the right to an explanation of decisions made about them rather than being subject to automated processing.

In the past, if you requested access to personal data being held about you by a company or organisation, you had to submit a Subject Access Request or SAR. This typically involved a £10 fee which under the GDPR is being scrapped. Upon a request for information being made, a company or organisation has one month to provide the requested data – free of charge!

In cases where consent is withdrawn, information was unlawfully collected and processed, or the information is no longer relevant, an individual can request that their data be deleted. The individual also has a right to an explanation of a decision made about them rather than being subject to automated processing of data.

Navigating the complexities of GDPR compliance can be challenging. Five 7T offers comprehensive support to help businesses prepare for and comply with the GDPR.

• We Provide Expert Guidance: Our in-house specialist, Ollie Lawson, is fully qualified to assist with GDPR compliance. Ollie has completed GDPR Practitioner training and is a certified Data Protection Officer.
• Data Assessment: We help businesses identify what data is being held and update procedures to comply with GDPR requirements.
• Breach Preparedness: We assist in developing a plan for responding to data breaches, ensuring that businesses can act swiftly and in accordance with regulations.
• Comprehensive Compliance: For businesses already complying with the Data Protection Act, we ensure full compliance with all GDPR principles.

Contact Five 7Tfor GDPR Assistance.

If you are concerned about how GDPR affects your business, contact Five 7Ttoday. Our expert, Ollie Lawson, will provide tailored advice to meet your business needs. With our support, you can ensure your business fully complies with the General Data Protection Regulation, protecting your company and customers’ data.

For more information and to speak directly with our in-house GDPR expert, contact Edirect. We are here to help you navigate the complexities of GDPR and ensure your business remains compliant.

SSL Certificate

Adding an SSL Certificate to your website is essential to protecting your users’ data. Here’s how it benefits your site:

• SSL encrypts all communication, including URLs, protecting browser history and preventing third-party tampering.
• Ensures that any personal data shared on your site is secure.
• Google considers SSL a ranking factor that can improve your site’s visibility in search results.

Privacy Policy

A Privacy Policy is crucial for GDPR compliance. Here’s how we can assist:

• We can provide a generic Privacy Policy covering basic legal requirements.
• If your business has specific needs, we will tailor a Privacy Policy to meet those requirements and update your website.

Check Boxes for Consent

Under GDPR, obtaining and proving consent is mandatory. Here’s how we implement this:

• You must obtain explicit permission to collect and process data, which should be documented in your terms and conditions.
• To prove consent, we will add checkboxes to your contact forms. Users must check these boxes to agree to your terms and conditions.
• Pre-checked boxes are not compliant with GDPR, so all checkboxes will be unchecked by default.

The checkboxes will read as follows:

“I have read and accept the Privacy Policy and consent to [COMPANY NAME] contacting me about my enquiry.”

“I consent to [COMPANY NAME] contacting me with future updates.”

By implementing these measures, you ensure your business is aligned with GDPR requirements, safeguarding personal data and maintaining user trust. For more detailed assistance on achieving full GDPR compliance, contact us at Five7T today.