AssuredPartners London

Welcome to GDPR

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The GDPR’s headline penalties have created fear and anxiety within companies that process personal data; the maximum fine could be as much as 4% of global turnover or €20 million (whichever is higher).

 

It is important to note that the scope of the GDPR legislation is very broad so any firms with European activities fall under its scope.

 

At its core, GDPR bases itself on the principles of privacy by default and design; Data Controllers in companies must ensure that their interaction with personal data is reflective of this.
Where GDPR presents unprecedented challenges for businesses, it also provides the opportunity to improve their brand, image and reputation. By demonstrating and relaying transparency with their clients, businesses can earn themselves a competitive advantage by distinguishing themselves.
The reality since GDPR came to effect has not been as some feared; with mass requests for data erasure, or fines issued.

 

Here we discuss five of the main considerations about GDPR which we hope will present a clearer picture when looking to comply with the legislation.

 

Is consent required for the processing of personal data?

The clear and direct consent of the individual (or data subject) to process personal data for a specific purpose is one of six lawful bases available to companies to enable them to legally control and process personal data, as outlined in Article 6 of the GDPR [1].

 

The additional lawful bases for processing are as follows:


Contract: Processing is necessary for the fulfilment of a contract
Legal Obligation: Processing is necessary to comply with the law
Vital Interest: Processing is necessary to protect an individual’s life
Public Task: Processing is necessary to perform a task in the public interest, or in an official function
Legitimate Interest: Processing is necessary to the legitimate interests of an organisation or associated third-party



Do we need to appoint a Data Protection Officer?

 

DPOs are only necessary for organisations whose main activities are processing operations, requiring regular and systematic control of large-scale data holders. It will usually be the person who is responsible for reporting to the highest positions within the companies. "A DPO can help you operate within the law by advising and helping to monitor compliance." [2]



Data encryption, the sensible option

 

Although GDPR legislation does not explicitly state encryption is a necessity, encryption software will likely prove to be of huge benefit to businesses. In the event of a breach, the stolen data would be rendered useless to criminals who would be unable to unlock the encrypted data - the ultimate aim of GDPR.



Data erasure

 

GDPR will allow an individual at any time to request that their personal data be deleted by the company that collected it, or by others with whom they have been shared.



Regulation applies to digital data and paper

 

Elements of the GDPR, such as data portability will be difficult to apply to information stored only on paper. In some cases this lack of applicability is an advantage. For example, demands for robust cyber-security measures do not apply to paper, because it can’t be hacked.