Are you ready for GDPR?
In May 2018 the General Data Protection Regulation (GDPR), a new European Union-wide data protection regulation, comes into effect. If you are an organisation with offices and/or customers in the EU, even if you are a U.S.-based company, you have to comply with GDPR. If your business is affected, you will need to start thinking about compliance now.
The GDPR principles
The GDPR principles are similar to those in the Data Protection Act (DPA), with additional detail, plus a new accountability requirement. The GDPR requires you to show how you comply with their principles, for example, documentation around what decisions have been taken about a processing activity.
An abbreviated view of Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
(taken from the ICO website here)
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA. It is important that you determine your lawful basis for processing personal data and document this. This becomes more of an issue under the GDPR because the lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.
The GDPR allows member states to introduce more specific provisions in relation to Articles 6(1) (c) and (e):
“(c) processing is necessary for compliance with a legal obligation”;
“(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
These provisions are particularly relevant to public authorities and highly regulated sectors.
For EU and UK end users;
Don’t just accept that systems you have in place that provide data exchange between software applications are lawful – ASK QUESTIONS of your suppliers and Data Managers as YOU will be responsible.
Ensure your providers know that “SIF certified” applications can provide you with additional features to ensure you are legally protected (including data encryption at source and between applications; as it is a routing mechanism, there is no data storage functionality unless architected into your solution, with your knowledge/agreement.)
For more information on security features included as standard in the SIF 3 Infrastructure Specification, please CLICK HERE.
Additional reading: Government to strengthen UK data protection law