GDPR

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Members will find sufficient information on this page to help them to understand the general requirements of the new GDPR regulations. The steps that are required are straightforward and detailed below.

What is GDPR?

GDPR relates only to personal data and it concerns how the data is collected, stored in a secure facility, controlled, audited and deleted - when it is no longer required. GDPR will require all businesses to review their position in relation to the storage of personal data and to improve their current Data Protection procedures.

What is personal data?

Personal data uniquely identifies an individual i.e. their NI Number, Bank Account details, e-mail addresses, Facebook details, Date of birth etc.

What you need to engage with GDPR

GDPR will change how data protection and data handling operates in businesses. It could affect your business in various ways. Fines under GDPR can be up to €20 million or 4% of turnover, whichever is higher, so it’s important to start considering what you will need to do, right away.

ECA has produced a 10-step guide for members to start their journey towards meeting GDPR requirements. For further details and how to comply, please visit the ICO website.

ECA has also produced the following guides for members to help understand some of the key terms and processes involved in GDPR, including:

GDPR Introduction
10 key steps to engaging with GDPR
Consent to collect and process personal data
What, Where, When, How and Who of Data Mapping

The 10 key steps can be found below on this page and all other guides are availabe from the downloads section.

Further information

The prime UK source of information on the GDPR is the Information Commissioner’s Office ICO at: https://ico.org.uk/for-organisations/data-protection-reform/.

ECA has also provided a graphic PDF that outlines 10 key steps that will help smaller companies towards GDPR compliance.

1. Request access to their personal data (usually free of charge), and how you make use of it. (Also known as the ‘Right of access’.)

2. Ask you to delete/remove their personal data where there is no good reason for its continued storage or processing. (Aka ‘Right to be forgotten’.)

3. Transfer or move their personal data between service providers easily and safely, without obstacles to usability of the data. (Aka ‘Right to data portability’.)

4. Know how you intend to use their personal data when it is being gathered. They must freely give their consent to it. Their consent cannot be assumed or taken for granted. There are particular rules around what information you should supply and at what stage you need to supply the information to your customers. (Aka ‘Right to be informed’.)

5. Have personal data rectified if it inaccurate or incomplete. If you have disclosed the data in question to third parties, you must inform them of the rectification. You should also ensure that your customers are aware of the third parties to whom you have disclosed the data, where appropriate. (Aka ‘Right to rectification’.)

6. Allow you (in some cases) to store their personal data, but also state that you are not allowed to process that data for any reason. (Aka ‘Right to restrict processing’.)

7. Object to your usage of their data Individuals must have an objection on “grounds relating to his or her particular situation”. (Aka ‘Right to object’.)

8. Be safeguarded against the risk of a potentially damaging decision “without human intervention”. You should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR. (Aka ‘Right to be protected from negative automated decisions’.)

Footnote:

This Q&A section refers to personal data scenarios that may be relevant to many members, but it is not definitive guidance on how to comply with GDPR. For a full description of GDPR, and the official guidance, members are advised to visit the ICO website.