GDPR is one of those acronyms you are probably hearing a lot about at the moment. You are no doubt receiving emails asking if you are still happy to receive communications from a company and to be on their database. So what are the reasons behind this?
In 2016, a bill was passed by the European Union introducing the Global Data Protection Regulation, which will come into force as of 25th May 2018. GDPR defines the legal rights of EU citizens in relation to their data, and enforces regulations on the data controllers and processors who hold that data.
Under GDPR, there will be two categories; data controllers and data processors. Controllers are those who ‘determine the purposes for which and the manner in which any personal data are, or are to be, processed’ and processors are those ‘who process the data on behalf of the data controller’.
The definition of ‘personal data’ applies to any information that can be used to identify a person, either directly or indirectly. That includes a subject’s name, location, IP address or mobile device identity, and any organisation that holds the personal data of any EU citizen must ‘implement appropriate technical and organisational measures’ to protect that data.
Any organisation holding EU citizens’ data will need to tell you how your data will be processed. There are 6 different lawful bases for this which are outlined for organisations as below:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the organisation, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).
As the 25th May deadline approaches, we are sure you will be coming into contact with a number of different organisations who are communicating their own GDPR journey with you. This can sometimes feel overwhelming but it is important to note that although organisations will communicate with you in different ways, they will all be working to the same lawful bases.
11 April 2018
The views expressed in this blog do not in any way constitute advice and are specific to the date noted. As time passes the facts can change and readers should consult their adviser for up to date advice on any matters covered within the blog. Invest Southwest offers an initial review, which is free of charge, however long it takes. From this we will be able to confirm how we can help and give you an opportunity to decide if you would like us to. Thereafter, we will provide you with detailed recommendations and exact costs. Please note that we promise not to levy any kind of fee unless we can demonstrate a benefit to you.