General Data Protection Regulation (GDPR)
GDPR comes into effect within the UK on 25th May 2018. It will be the biggest single change to Data Protection in the UK since the Data Protection Act came into effect in 1998. Whilst GDPR’s legislative origins are European, the UK has firmly stated its intent to adopt and enshrine GDPR into UK law with a new Data Protection Law even once the UK has left the European Union.
With the growth of the modern information society there has been a seismic growth in the amount of personal information that is now routinely gathered, stored and analysed in both paper and electronic form from routine transactions, surveys to internet browsing. The aim of this has been to extract the maximum information value possible that may help anything from a home based business to a complex multinational make better informed decisions about the direction of travel that they may wish to take for either their service or product.
‘Personal data’ is defined as any information relating to a living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Aim Of GDPR
Anybody taking part in the modern information society could be left wondering what information was being held about them, for what purpose it was being used for or how long would it be held? GDPR is aimed at trying to redress this imbalance for EU Citizens (data subjects) by facilitating greater openness and transparency around who, what, why, how and for how long information was being harvested and utilised.
A further intended benefit of GDPR was aimed at establishing a single set of rules across Europe. The impact of this stretches further than just the EU. Because the legislation is aimed at providing EU citizens with greater clarity and protection as a result of this any company from outside of the EU that supplies goods or services to EU citizens will become subject to GDPR.
Rights of Data Subjects
In essence, GDPR provides EU citizens with the right to:
Customer Engagement – the impact of GDPR
The conditions for obtaining consent for the retention and use of data are now much stricter under GDPR e.g.:
Consent will not be valid unless separate consents are obtained for different processing activities. This means you have to be able to prove that the individual agreed to a certain action.
- The individual must have the right to withdraw consent at any time and should be as easily to remove as it was to provide consent originally.
It is more than likely that your business obtains and retains personal information that belongs to Data Subjects. As such, you need to ensure your business is GDPR compliant. Your business is responsible for the data that you hold. This includes the sourcing of the data, the reason for collection and any subsequent processing you may undertake. In today’s information rich age, data can be obtained in a variety of ways. As a result of this there is not one single piece of software that will ensure that you are compliant for GDPR. Compliance will be attained by you using a combination of (non) compliance assessments around people, processes, technology and training to mitigate your risk of non-compliance.
StoreFeeder preparations for 25th May 2018
At StoreFeeder we take data security and the importance of our client’s privacy very seriously. The plan that we are currently working to covers the following areas detailed below and will lead to us being compliant by 25th May 2018:
1. Mapping our company’s movement of data into and out of StoreFeeder. Mapping where all of the personal data in our business comes from and goes to. Documenting what is done with the data. Identifying where the data resides, who can access it and if there are any risks to the data.
2. Determining what data we need to keep. Only keeping data we need to comply with UK and EU GDPR legal obligations or to transparently consented to data analytics / processing.
3. Reviewing / amending (if required) our processes and documentation to ensure data subjects rights regarding data handling are in place in accordance to the 6 principles of GDPR:
4. ISO27001. Aligning our IT security to this information management standard. This standard will demonstrates to industry that we are operating to industry best practice around information security.
Queries regarding StoreFeeders GDPR status
Should you have any queries, please provide an overview of the point you wish to discuss and submit it to our Data Protection Officer at firstname.lastname@example.org.