The first in a series of blogs helping you understand the new General Data Protection Regulation (GDPR)
There’s a new data protection regime coming into force in May 2018: the General Data Protection Regulation (GDPR). You may already have heard about this new Europe-wide regulation, which will replace the UK’s current Data Protection Act (DPA) to take account of the technological revolution that has taken place since that legislation was introduced in 1998. We’ve already got a page about GDPR on the Knowledge Base section of our website to give you an overview.
Over the coming weeks and months, we’re going to be using our blog to help you understand in more detail what this might mean for your business and how to prepare yourself for the change. This week, we’re taking a closer look at how the definitions of personal and sensitive personal data will change, and what you’ll need to do if you’re a ‘data controller’.
GDPR personal data
Personal data means any information which relates to a living individual who can be identified from such information. While this will depend on context, examples include a current address, the salary details for a particular post-holder in a company, an itemised phone bill or an expression of opinion about the individual (such as a job performance appraisal). The GDPR’s definition of personal data is upgraded to include online identifiers, such as an IP address for the individuals whose data it is. Meanwhile, certain types of information are categorised as sensitive personal data, which organisations must take special care to protect, and must have justifiable business reasons to hold. Currently, this covers demographic data (e.g. ethnicity, political opinions, religious beliefs, physical or mental health etc.), but is extended in the GDPR to include biometric data.
Any organisation which obtains, records and holds personal data needs to consider whether it should be registered as a data controller with the Information Commissioner’s Office (ICO) under the DPA. A data controller is defined as an organisation (or a person) who determines the purposes for which and the manner in which any personal data are, or will be, processed. Most organisations will be registered as data controllers because they keep HR records, customer lists, or contact details for stakeholders.
For the majority of UK data controllers, the forthcoming changes to what constitutes personal or sensitive personal data should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. But do bear in mind that new technology or security developments might mean that data you’ve been holding on individuals could now be used to identify them. We’d recommend that you undertake an audit of your automated and manual filing systems over the coming months, to make sure they are robust in protecting personal data and that you have sound justifiable business reasons for storing any such information.
Next time, we’ll be looking at how the GDPR will be changing an individual’s right to consent to the use, storage and sharing of their personal data.
With CAS’s range of services covering paper document storage and electronic data storage, we can help you to protect all the personal data you store. And if you need to dispose of old IT equipment or shred old paper documents, we can ensure you’ll meet your data protection responsibilities. Give one of the CAS team a call now if you have any questions or to get a quote for any of our services.
For a free, no obligation quote please contact our specialist team
About Clarks CAS
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed.