When is the new law coming in to force?

On May 25th 2018, GDPR will come in to force. It will oblige controllers of personal data to process the data lawfully, fairly and transparently. It will compel the controller to collect the data for a specified purpose, which must be communicated to the data subject in a concise and clear manner. The controller cannot collect data that is excessive and hold it for longer than is necessary. The controller must have appropriate technical and organisational measures in place to protect against unauthorized or unlawful processing or the accidental loss or damage to the data. 

What is personal data?

It is very broad. It is information relating to an identified living individual or living individual who can be identified from the data, directly or indirectly by reference to an identifier or a factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Special categories of data includes personal data revealing the racial, ethnic origin, political  of religions opinions of the data subject, trade union membership. genetic, biometric, health and sexual orientation data. 

What is processing?

Again, it’s very broad. It includes collecting, recording, organizing, structuring or storing data. It includes adapting, altering, using, disclosing, restricting, erasing and destroying data. GDPR compels a controller to make a record of all data processing activities. 

family law solicitor

New rights for data subjects.

GDPR brings a array of new rights to protect  data subjects. Some include

  • the right to be informed of processing,
  • the right to access that data,
  • the right to have any inaccuracies rectified,
  • the right to be forgotten,
  • the right to obtain a copy of the data for no charge within 30 days of requesting it,
  • the right to know about the use of profiling,
  • the right to know if data has been transferred outside of the E.E.A
  • the right to complain to the Data Protection Commissioner.
What to do before May 25th?
  • Controllers must review and update their Data Protection policies and communicate these to their employees, customers and suppliers.
  • Data controllers must satisfy the lawful ground of processing data under GDPR by them and their processors.
  • The technical and organisational measures to protect data must be reviewed and documented.
  • Policies and procedures must be put in place to deal with data breaches and subject access requests.
  • New contracts will have to be put in place with data processors.
  • A data inventory will have to be prepared. In some cases, data will have to be erased if there is no lawful ground for storing it after May 25th 

If you need assistance complying with GDPR

Book an appointment with Shona