Firstly, this is JUST a heads-up for those of you who may need to consider the implementation of the General Data Protection Regulations.

DISCLAIMER : This is by no means a comprehensive guide. You must do your own research and consulting to make sure you are in compliance.

A lawyer told me that GDPR replaces the Data Protection Act. He went on to say that there is a major difference in the nature of the new regulation. The old DPA sought to regulate the way data is stored, and how it’s accessed, processed and so on. GDPR sets out further to ensure that data is handled capably by all those with access to it, attending to its security, controlled access, accuracy and so on.
Data ‘holders’, to give them a name, must demonstrate their accountability. They must show that processes are in place and implemented. Organisations may be subject to an audit of their procedures in terms of their GDPR compliance. Note, this is BEFORE any breach of data, or its use, or misuse, has occurred.

As either a ‘Data Controller’ or ‘Data Processor’, you have responsibilities governing what you do with data in your possession.
There are aspects to holding data under the GDPR –

Transparency  – You must reveal data you hold on a subject, to that subject
Consent –            You must have the data subject’s permission to hold that data, and consent to send emails, or text messages for example
Accuracy –          Any data you hold must be correct, to the best of your knowledge
Deletion –           You must delete the data if there is a legitimate request to do so
Correction –        Inaccuracies must be corrected on request
Retention –         You may not hold data for longer than is necessary
Privacy –              You may not reveal data to another party, unless you have their consent to do so

A data holder must show that data held is essential to the activities of the holder. A GP’s surgery must hold data on their patients, their medical records. An MOT garage must hold data on their customers, to send a text or email reminder that a test is soon due. A company might hold a database of local businesses, and send emails about their latest developments, to generate new business.
The data subjects have a number of rights. They can demand details of what data is held, request corrections if necessary, or choose to have the data deleted. The right to be ‘forgotten’.
This last item raises a question – what about the data held in backups ? A brief answer to this is that, yes, a subject’s data must be deleted from the backups as well.
Employee records in HR departments may require particular consideration. How long is it necessary to keep personal data after an employee leaves ?

In case you hadn’t heard, penalties for transgressions under GDPR can be massive. Anything up to 4% of global turnover, or 20 million Euros – whichever is the greater.


DISCLAIMER : This is by no means a comprehensive guide. You must do your own research and consulting to make sure you are in compliance.

Download (PDF, 1.13MB)

Please find a source for further reading:

Data Protection

Call now
Share via
Copy link