# What is GDPR all about?The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives:
- People more control over how their personal data is used.
- Businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.
# What is meant by Lawful?
Lawful processing of data can come under one of two, or both circumstances. The first of which is if the subject has consented to their data being processed. The second of which is complying with a contract or legal obligation to protect an interest that is ‘essential for the life of’ the subject, is in the public interest or if it is in the controller’s or subjects legitimate interest, such as preventing fraud.
# How do I get Consent?
Consent must be an active, affirmative action made by the subject. It can no longer be passive acceptance, for instance where there are pre-ticked boxed or opt-outs. Controllers must also keep a record or how and when the subject gave consent. The subject may withdraw their consent at any time too.
# What counts as personal data?The definition of personal data has been substantially expanded under the GDPR, to reflect the types of information that companies collect on people. IP addresses now are considered to be personal data, as is other data like economic, cultural and mental health information. Anything that is counted as personal data under the Data Protection Act qualifies as personal data under the GDPR.
# When can people access the data that is stored on them?
People have the right to access any information a company holds on them, the right to know why the data is being processed, how long it has been stored for and who can see it. The data must be provided in a secure, direct way to them using plain language. If incorrect or incomplete they can then ask for it to be rectified.
#‘Right to be Forgotten’
People have the right to demand that their data is deleted if they withdraw their consent, object to the way the data is being processed or if it is deemed no longer necessary for the purpose it was collected. This is known as the ‘right to be forgotten’.
Everyone is gearing up for the 25th May deadline. The benefits to the individual being increased control and the knowledge of just how your personal information is being processed. And, the benefit to Antal has been the great opportunity for operational review, policy enhancement and data cleansing.