GDPR is a set of regulations that businesses must adhere to in regards to the collection and storage of employee and customer data – breaching these rules could land companies with a serious fine.
No matter what size your business is, if you handle any personal data (and you most likely do!), GDPR is relevant to you.
What is personal data?
Personal data under GDPR only includes:
- information relating to people who can be identified or are identifiable directly from the information in question
- people who can be indirectly identified from that information in combination with other information
Personal data can be your name, surname, home address, email address, location data from your mobile device, IP address or data held by a hospital or doctor that could uniquely identify a person.
There are six lawful bases for processing data:
- Consent
- Contract
- Legal Obligation
- Vital Interest
- Public Task
- Legitimate Interest
Most of the lawful bases depend on the data processing being ‘necessary’.
Data is held by businesses under the Legitimate Interest base for many reasons which can include marketing, fraud prevention and network and information security.
What are the eight rights for an individual’s personal data?
The right to be informed means that individuals should be informed what personal data is being collected about them, why it is being collected and by who, if the data will be shared and for how long the data will be kept.
The right of access means that an individual has the right to submit access requests to learn what information is being held about them.
This may include why the information is being gathered, who the information is being shared with and any of the other pieces of information covered by the right to be informed.
The right to rectification allows individuals to ask the organisation to update any inaccurate or incomplete data they have on them.
This may be an incorrect address or a change in surname.
The right to object to processing allows individuals to ask the organisation to stop processing their personal data.
The right to object depends on the purpose and lawful basis for processing.
The organisation does not have to cease processing if there are legitimate grounds which overrides the interest and rights of an individual.
Rights in relation to automated decision making and profiling. This means that an individual has the right to object to decisions based solely on computer processing and to question decisions made about them by a computer.
They can also request a person to be involved in the decision making, particularly if the decision has a significant effect on them.
The right to be forgotten means that individuals can ask for their personal data to be erased/deleted if the data is no longer necessary, being unlawfully processed, consent is withdrawn by the subject or if the subject is objecting for other legitimate reasons.
The right to data portability means that individuals can request any personal data they have previously provided to an organisation in a readable/structured format. They can also request their data is transferred directly to another organisation.
This may apply if a person is switching service providers for gas or electricity.
The right to restrict processing means that an individual can request that an organisation limits how it uses personal data. The organisation will not be able to process it further unless they have consent.
How do you audit your data?
How do you manage your data? Have you given consideration to why you have it or if it still needed? Do you inform clients/customers/individuals about the data you gather?
The responsibilities change depending on whether you are a data controller or data processor.
A data controller determines the purposes and means of the processing of personal data.
A data processor processes personal data on behalf of the controller.
If your organisation is a data controller, then you must ensure that you are complying with UK GDPR and comply with the six lawful bases and the eight rights.
How can WA Management help?
WA Management offer a GDPR online training course which is suitable for managers or any employees who handle data.
GDPR and Security & Terror Alerts are essential tools in protecting your business from physical and operational threats. Make sure you don’t miss out on our 10% off deal on these courses, available until the end of November. Simply enter the code ‘secure10’ at checkout to save!
Read more Consultant’s blogs here.
To keep up to date with the latest health & safety news and advice, follow us on social media: