EPOS Experience, Expertise and Nationwide Support
Keep Up to Date with the Latest News
GDPR and what it means for your EPOS solution.
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, that’s the last Friday in May! The new EU regulation will bring considerable changes to the existing data protection law in the UK and across the EU for the first time in 20 years. GDPR’s ‘long Arm’ jurisdiction ensures companies processing data on EU citizens must comply with the new requirements.
The GDPR focuses on enhancements to existing individuals’ rights whilst creating some new ones, but before we go into detail it’s important to understand that organisations in breach of GDPR can be fined up to €20m or 4% of global turnover. Fines are staged depending on the seriousness of the infringement and with mandates that data breaches must be notified to the Information Commissioner’s Office (ICO) no later than 72 hours from the event, these penalties highlight that the new regulation is to be taken very seriously indeed.
So, what does the GDPR cover in terms of processing data on individuals?
- Subject Access. This area deals with confirming to the individual what data is being processed and giving them access to said data in a freely and timely fashion (unless “manifestly unfounded or excessive”). This is a dramatic change which gives individuals more transparency and power.
- Right to Rectification. Individuals can request that personal data is rectified with undue delay if the data is incomplete or inaccurate which goes hand in hand with the right to access above. Any data held needs to be amended quickly.
- Profiling and Automated Decision Making. The profiling aspect ensures individuals rights not to have decisions made against them are adhered to unless explicit consent has been specified. Clear affirmative action should be given, failure to de-select those ‘preticked’ boxes we often see will no longer constitute consent. More-so, bundled consents are no longer valid - instead separate consents for individual actions must be obtained, and for marketing purposes explicit opt in’s will be required.
- Data Portability. This stipulates that personal data can be given to an individual or 3rd party in a “commonly used, and machine readable form” so any data held on a subject must be able to be extracted and supplied to the subject in a commonly-used file format such as ‘.xml’ or ‘.csv’.
- Erasure. Perhaps the most daunting aspect of the GDPR otherwise known as the Right to be Forgotten. Individuals can request that electronic data is completely removed from your systems “without undue delay”. It also stipulates that data is not processed if the purpose falls outside the scope of what is was originally necessary to process for. This can seem a huge task to asses where a subjects data resides in the first place and whether or not it falls into or out of scope for this requirement; there are exceptions such as legal requirements (Finance institutions keeping data for 7 years), impossible to erase datasets and non electronically filed documents.
- Restrict Processing is an alternative to the right to erasure but on an interim measure whereby data can be marked as restricted whilst there is an ongoing dispute or removal of consent from the individual.
Written by Daniel Tombs, Project Manager at Cunninghams Epos Group
GDPR has presented an opportunity to increase security and protection of your users’ data. Yes, it’s a lot of regulation to digest but be assured that compliance will bring with it trust and respect between your business and end users - and with this new regulation, there is no opt-out so if you haven’t acted already, now is the time!
Find out how Cunninghams Epos Group can support you by calling us on 0330 024 5014 or email us with any questions.
(Reference material obtained from ICO website)