GDPR…attack of the acronyms!
Download the whitepaper before it's too late!
Hubspot form settings
Change the portalId and formId numbers in the code below
Portal id: 316077
Form id: 8a698780-9ae5-4c12-93ee-d189dd4625b6
What is GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy regulation. It is aimed at strengthening and aligning protection of personal data of all European residents. The regulation covers acquiring, storing and usage of personally identifiable and sensitive data. It enforces rights for individuals to acquire their own personal data, have it corrected or removed. The regulation gives European residents more control over their own personal data. GDPR comes into force across Europe from 25th of May, 2018.
Who does GDPR apply to?
The regulation applies to all companies that gather, store and process data of European citizens. This also includes companies that might be based outside of the European Union. Any company that processes European citizen data is required to provide reasons for acquiring and processing data, document the processing process, ensure appropriate data handling security and discard or anonymise the data after the reasons for processing no longer apply.
Watch the GDPR webinar
With the topic of GDPR hot on everyone's lips, why not get up to speed by watching this webinar presented by
Phil Young of Zero Support.
Phil will discuss the content of the GDPR white paper, the guiding principles of GDPR, mapping data,
document processes and drafting policies for staff.
Seven GDPR guiding principles
- Lawfulness, fairness and transparency: Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
- Purpose limitation: Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data minimisation: Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy: Data must be accurate and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay
- Storage limitation: data must be kept in a form which permits identification of data subjectsfor no longer than is necessary
- Integrity and confidentiality: data must be processed in a manner that ensures appropriate data security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
- Accountability: The data controller must be responsible for, and be able to demonstrate compliance with all of the above principles
Your GDPR jargon glossary
GDPR is broadening the definition of what constitutes personal data compared to that in the data protection act (DPA). As well as traditional personal data such as email, contact details, any identification numbers, IP addresses and locations are now included.
Each person to which the personal data refers is known data subject
Again GDPR has broadened this definition compared to that of the DPA. The main difference is the inclusion of biometric data as senstive personal data. Sensitive data also includes religion, political beliefs, sexual preference, race and ethnicity.
A data processor carries out operations on personal data either manually or automated. This includes collecting, recording, organising, storing, changing, retrieving and sending data. It also covers restricting and destroying data.
Nucleus is a data processor of both adviser data and client data. An adviser firm is a data processor client data.
A data contoller is a person or company who decides the purpose any personal data is to be processed and the way it will be processed. This can be one person or jointly with other people.
Nucleus is the data controller for the adviser and client data that we hold. Adviser firms are the data controllers for the client data that they hold.
Consent must be freely given, specific and informed. It must constitute an unambiguous indication of an individual's wishes. GDPR makes it clear that pre-ticked boxes or failure to opt out will not constitute valid constent.
GDPR defines the lawful grounds for data processing to be:
- Consent of the data subject
- Necessity for the performance of a contract
- Legal obligation
- Necessary for vital interests of the data subject
- Necessity for the performance of a task in the public interest
- Legitimate interests of a data controller such as the data subject being a client or recieving a service from the data controller
This is the automated processing of personal data for evaluation, analysis or prediction. Consent must be obtained and the right to challenge and object included.
What about Brexit?
Brexit is unlikely to have a significant impact on GDPR. Not adopting regulations equivalent to GDPR means the European Commission could reject the UK's application for adequacy status. This is required for the free flow of information between the UK and EU without the need of separate contractual arrangements.
So while GDPR could be amended or watered down post Brexit, it's best to assume this will not happen in any material way. The UK's own data protection bill clearly indicates a UK intention to replicate GDPR post-Brexit.