The EU General Data Protection Regulation (GDPR) regulates how your business processes personal information about living individuals. All businesses are required to comply with the data protection principles.
Making sure that you understand and comply with data protection regulations helps protect your business against regulatory action.
The data protection principles
To comply with the data protection principles set out in the GDPR, you must only process personal information (for example, that of a customer or employee) when you have a fair and lawful reason. You must do this in a transparent manner (ie by keeping the data subject informed of what you are doing with their data, how long you will keep it, and with whom it will be shared, if anyone).
'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it, whether through your business' IT systems, via CCTV or in a manual filing system.
You must limit your processing of personal information: only collecting the information you need, using it for specified purposes and deleting it when you no longer need it for those purposes.
You must also keep information up to date and hold it securely. There are restrictions on transferring personal data overseas, and you must take particular care with sensitive information (for example, details of an individual's ethnic origins or their health records).
Individuals have a range of rights under the GDPR:
- The right to be informed. This includes details of how information is collected, from where, what it will be used for (and why), and how long it will be retained.
- The right of access. Individuals have the right to ask to see the information you hold on them - known as a 'subject access request'. If you receive a request, you must normally respond within one month of receipt, and do so free of charge. This covers all data, whether it is held electronically, in paper form or in any other form.
- The right to rectification. Individuals can require you to correct inaccurate information, or to complete it if it is incomplete.
- The right to be forgotten. Individuals can require you to delete (or otherwise dispose of) the personal information that you hold about them (subject to limited exceptions).
- The right to restrict processing. Individuals can, in some circumstances, request that you restrict your processing of their information. It can still be stored, but not processed.
- The right to data portability. This allows individuals to obtain a copy of their personal information for re-use with other services.
- The right to object to processing. Individuals can object to you processing their personal data for certain purposes or on certain grounds (subject to limited exceptions).
- Rights relating to automated decision-making and profiling. If this type of processing is to be carried out, specific conditions will apply (eg it must be necessary for the entry into, or performance of, a contract, or you must have the individual’s explicit consent). In addition, individuals affected by such processing must be given information about it and be given easy ways to request human intervention or challenge a decision.
Data protection fee
Under the Data Protection Act, businesses that processed personal information were required to register with the Information Commissioner (subject to exemptions) and to pay a fee.
There is no longer a requirement to register with the Information Commissioner but a fee remains payable (£40 for very small organisations, £60 for SMEs and £2,900 for large organisations with more than 250 staff and a turnover exceeding £36 million).