Despite GDPR being a European regulation, the British government has announced plans to adopt the legislation UK-wide, coming into effect from Friday 25 May 2018.
GDPR covers 4 main areas:-
- What data a company holds;
- Where a company stores data;
- How data is protected and managed;
- Who can access the data.
There is a lot being written about the topic , but I’d like to point you in the direction of a couple of useful resources :-
1. A detailed guide and checklist from the Information Commissioner’s office: – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
As of May 2018, there will be six legal grounds which justify the processing of personal data. When collecting personal data, businesses will need to clearly outline (to prospects and employees) which of the six grounds they are using to process the data.
Any reason outside of those outlined below will not be deemed acceptable.
In summary, they are:
- The data subject has given consent – For valid consent to be given, the individual needs to actively and affirmatively specify they are happy for the organisation to process their personal information in the way they have outlined;
- It’s necessary for the performance of a contract e.g if the individual owes a business (like their gas or electricity provider) money and the business needs to reclaim monies owed;
- It’s necessary for the controller to comply with a legal obligation e.g if a firm’s data controller is approached by a government body, such as the Serious Fraud Office, requesting data necessary for a legal case;
- It’s necessary to protect the vital interest of the data subject or other natural person e.g if the British Transport Police requests the information of a potential suspect or at-risk individual;
- It’s necessary to perform a task in the public interest e.g in the case of a police officer seeking an individual’s address for an arrest;
- It’s necessary for the purposes of the legitimate interest pursued by the controller or third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.)
2. The ICO have announced they will be releasing further information on GDPR at a later date and therefore the above details are subject to change. Official information on GDPR and any changes can be found on the ICO website.
3. Retaining data is covered under principle 5 of the Data Protection Act, and it does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that data shall not be kept for longer than is necessary for that purpose or those purposes. Find out more about Principle 5 Retention.
In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
At Trio Telecom we have enacted a GDPR policy, and ensured that we comply with the regulation as detailed by the new regulations. If you require any further information, or have any questions, please contact your account manager.