Licence Link – Stepping towards the GDPR.
Protecting Data is currently covered by the UK Data Protection Act 1998. On the 25th of May 2018, the General Data Protection Regulation GDPR will replace the DPA. Licence Link, the on-line licence checking service is primed and making ready for the change.
The ownership of personal data is very clear. It belongs to the person and not to any business or organisation that holds it. This is the tenet of the General Data Protection Regulation and it makes clear that without an individual’s verifiable consent for holding and using their data, it will be considered a breakage of the law. The regulation comes into effect on the 25th May 2018 and will not be affected by the UK leaving the EU. Where can businesses and organisations go for help and information, and what steps should be taken in order to comply with the new regulation?
The DPA and GDPR share similar concepts and principles, so the DPA is a good foundation for taking further steps towards setting up controls and processes that the new regulation requires. However, there are important additions, approaches and procedures that will be necessary in order to be compliant. The “Guide to the General Data Protection Regulation (GDPR)” published by the Information Commissions Office (ico) introduces the regulation and states that it is a “Living” document and it will be continually expanded in key areas. It explains the provisions of the GDPR and includes preparation tools that will help businesses and organisations.
The publication highlights the legal obligations of data controllers and processors, including a section upon the lawful basis for processing personal data. Lawful processing under the existing DPA allows for a default opt-in. The important difference is that the GDPR expects an agreement to be a deliberate act. In other words; the default to opt-in unless the individual states “No”, will become a default to opt-out, unless the individual states “Yes”. It is notable that lawful processing does not necessarily require an individual’s consent, where a contract or legal obligation is concerned.
The section on Individual rights includes:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Other sections cover:
- Accountability and governance
- International transfers
- Personal data breaches
The volume of personal data held is increasing dramatically. The value of this data economically and socially is tremendous but can carry a high risk to the individual if their personal data is not controlled and processed in a legal and proper way. Controlling the uses of personal data, ensuring consent is given and ensuring that all of the processes are transparent are the principles within the upcoming GDPR. This will be the data protection framework for all of Europe and the UK in 2018.
Licence Link is one of a portfolio of products developed and maintained and administered by Pinewood Technologies PLC, being fully compliant with the DPA and fully preparing to transition to the GDPR. Rest assured, protecting personal data is a priority requirement for every part of the business. After all, with hefty fines of up to 4% of annual turnover to be considered it makes sense to be totally committed and prepared.