The GDPR is the strongest set of data protection laws in the world and currently covers the whole of Europe including the United Kingdom. It was mutually agreed and has been enforced since May 25th 2018. The purpose was to develop and modernise the pre-existing protection laws around individuals personal data.
The data protection laws that used to cover Europe hadn’t been significantly updated since the 1990s and so had not accounted appropriately for the huge technological advances that have been made since then. The way that personal data is now processed and profited on required a sophisticated new set of rules to ensure peoples personal data was not being unethically used without their full consent and this is what the GDPR provides. GDPR not only drastically influences the ways in which businesses and public sector organisations can handle the information their customers but it also gives the customers more control over their own information.
One of the brilliant ways that GDPR has put more power into the hands of the individual is by scrapping the cost of requesting a Subject Access Request (SAR). This previously cost £10 per request. When someone makes an SAR the business has one month to gather all that individuals data that they have held and issue it to them. This will enable individuals to have more control over their own data.
Any individual, organisation or company that are either controllers of processors or personal data will be covered by GDPR and must comply. GDPR and other data protection laws rely on the term ‘personal data’ when information about individuals is mentioned. There are two main types of ‘personal data’ that is ‘personal data’ and ‘sensitive personal data’.
Personal data as well as sensitive personal data will be protected by GDPR.
Personal data encompasses a complex and broad category of information but to put it simply it is any piece of information that can be used to identify an individual, so this could be anything from birthday to your IP address. Sensitive personal data includes anything consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The conditions that have to be met for an organisation to process special category data are as follows:
- Explicit consent
- Employment, social security and social protection (if authorised by law)
- Vital interests
- Not for profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interests (with a basis in law)
- Health or social care (with a basis in law)
- Public health (with a basis in law)
- Archiving, research and statistics (with a basis in law)
One of the main improvements and differentiators between GDPR and other data protection acts is that not only does GDPR protect individuals personal data and sensitive personal data but it also protects pseudonymised personal data – if it is possible that a person can be identified by a pseudonym.
One of the ways that GDPR has been able to be more rigorous with their enforcement is that they will fine businesses that do not comply. The GDPR states that small offences can result in fines up to ten million euros or two percent of the firm’s global turnover, whichever is greater. This is a much more significant fine than the previous maximum fine the ICO could issue of £500,000.
Since the UK has left the EU the UK’s 2018 Data Protection Act will kick in soon. The UK’s 2018 Data Protection is an almost identical copy of GDPR so that there will not be any huge changes to the data laws. So post Brexit the right of EU citizens will still be protected by GDPR and business and organisation will not have to change their policies but for organisations that move data between the European Economic Area and the UK there could be some minor changes as the UK will no longer be technically be a part of GDPR.
GDPR and all data protection laws are constantly evolving and it is close to impossible to always be fully GDPR compliant, especially when the services you provide are evolving at the same time. The UK information commissioner has stated she will not be trying to find companies to make examples of and issue them with the maximum penalty straight away as she understands what a big shift this can be for companies. The ICO wants to initially take a collaborative approach to enforcing compliance however they will be much more lenient on those companies who have shown that they are making attempts towards compliance than those companies who have not done any work around it at all.
How TopSource can support you
TopSource has set up a fast-track payroll service to make this easy, guaranteeing a simple on boarding experience to support compliance in as little as four weeks.
Simply contact us to find out more.