The 25th May will see the coming into force of the General Data Protection Regulation (GDPR). Its aim is to make data protection more robust and to give individuals greater control over their privacy. The regulation applies to all data held about EU citizens and will, therefore, affect every organisation that collects it. To give you an overview of the scope of the regulation, here are fifteen essential facts you need to know about GDPR.
Following its implementation, every citizen in the EU will have the following privacy rights:
- The right to access their data
From 25th May, any EU citizen has the right to be given access to any personal data an organisation holds about them – and be informed about how it is processed and used. Organisations will have to provide these details on request.
- Data correction rights
The new regulation stipulates that any personal information an organisation holds must be accurate. Where errors occur, individuals can demand that corrections are made.
- The right to be forgotten
GDPR also provides the right to be forgotten. Therefore, if an individual requests it, an organisation must stop processing and delete all the data it has concerning that person.
- Data portability rights
Individuals can also request that personal data you hold about them is transferred to other organisations. This includes purchase histories, employment records, call logs, gas and electric consumption records, no-claims bonuses, etc.
- Data breach notification rights
Under GDPR, delaying the notification of a data breach is forbidden. There is now a legal obligation to inform customers and regulatory bodies within 72 hours of the breach taking place.
Areas of data protection
GDPR puts in place the following protections:
- Protecting data that identifies individuals
GDPR applies to any information which can be used to identify an individual. Besides obvious data, like names and addresses, this includes things like passport numbers, car registration numbers and even CCTV recordings.
- Protecting demographic data
Data regarding an individual’s race, age, gender, disability, ethnicity and sexual orientation is also protected under the new regulation.
- Web data protection
Under GDPR, web data, including IP addresses, location data, email addresses, browsing histories and cookie data are all regarded as personal data which needs to be secure from loss, hacking or theft.
- Political views
While the ‘Vote for’ poster in the front window might be a dead giveaway, this doesn’t mean that data held about a person’s political views is not private. It is. If you store information about party memberships, political opinions, previous voting habits or any similar information, it must be securely protected.
- Biometric, genetic and health data
The potential theft and sale of biometric, genetic and health data can have huge consequences. For this reason, all these forms of data come under the auspices of GDPR.
Requirements on organisations
GDPR places the following requirements on organisations:
- Data protection by design
One requirement of GDPR is that organisations must implement data protection measures by design. The term ‘by design’ requires data security to be in place from the beginning to end of the data lifecycle – from collection to deletion.
As part of this, organisations need to carry out a ‘data protection impact assessment’ to identify risks and outline ways to address them.
- The Data Protection Officer
Another requirement of GDPR is that organisations which process or store sensitive data or significant amounts of personal data must establish a Data Protection Officer (DPO) role. This also applies to any organisation that regularly monitors data subjects. The DPO has overall responsibility and is ultimately accountable for data protection, privacy and GDPR compliance.
- Protection beyond the EU
GDPR’s jurisdiction is not limited to within the geographical borders of the EU; instead, it extends to organisations outside of the EU that process EU citizens’ personal data. Whilst this may seem impossible to fully enforce, it means non-European companies that wish to trade in the EU will have to follow the same rules as EU organisations.
Other key points
- Post-Brexit GDPR
The UK government is fully supportive of GDPR and is committed to making sure that the rights and responsibilities it gives continue after Brexit. Indeed, if we are to continue to trade with the EU, any UK organisations that keep data from EU citizens would still need to comply.
- Hefty fines for non-compliance
The one thing that has made GDPR hit the headlines is the eye-watering size of the fines for non-compliance. The maximum fine is €20 million or 4% of an organisation’s annual global turnover, whichever is higher. This level of fine can be handed out for not adhering to core principles of data processing, for infringement of personal rights, or for passing personal data to third parties that do not adequately protect data – in other words, to organisations that are not GDPR compliant.
How Webhosting UK looks after your data
WHUK began preparations for GDPR in 2015 and has everything in place to protect the data we hold about our customers and to help them protect the data they hold on others.
Our security measures include:
- SSL encryption to secure personal ID
- authentication of user ID using verified email addresses and unique security pins
- direct consent needed before we make changes to your account
- no information shared with third parties (unless legally required).
We fully train all WHUK database engineers to ensure the security and management of data comply with strict industry regulations. We secure private data with mod security rules and robust physical, electronic and managerial procedures. To prevent data loss in the event of a disaster, we backup shared servers.
For highly secure hosting from a GDPR compliant service provider, check out Webhosting UK to find our full range of hosting solutions.