In May this year, UK data protection laws are getting a serious makeover. When GDPR comes into effect, it will be the biggest change in data protection rules in over 2 decades. So it’s no wonder business owners are starting to get a little hot under the collar. One of GDPR’s main focus is on the acquisition, storage, managements and use of personal data by businesses. This means a lot of businesses are racing to review their compliance and put policies in place before the final implementation date in May. But what are the changes, and how to store, manage and use personal data in a business in compliance with GDPR effectively, without being overwhelmed? To comply with GDPR one needs to understand first what personal data includes.
What Constitutes Personal Data?
Not only have the rules around what you can and can’t do with personal data changed – but the very definition of what constitutes personal data has as well. This new definition of what is classed as personal data is much broader than the scope detailed in our current Data protection Act, and is designed to further protect the rights of the individual. Now, personal data means any information relating to an identified or identifiable natural person (known as the ‘data subject’). The regulation clarifies this point by stating:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
As you can see, this encompasses many more data points than previous laws. A big concern for many businesses is that under this new definition, personal data will include online identifiers commonly logged automatically by websites or software – like IP addresses, metadata or even mobile device ID’s. This presents a whole host of new challenges around the wider management of business practices that affect personal data.
New Consent And Usage Rules
Along with the amendments to what constitutes personal data, one of the biggest changes to come in with GDPR centres around consent. That is, the individuals consent for you to use and store their data. At the moment, the Data protection Act allows businesses to operate on an ‘opt out’ basis, where individuals can be added to mailing lists or have their data stored automatically, unless they tick the box to opt out. But GDPR is turning all of that on its head. Now, express consent will need to be given by individuals to state that they consent to their data being used, and what they are consenting to it being used for. Individuals also have the right to withdraw that consent at any time, which creates storage issues later on (more on that in a moment). In order to be compliant, businesses need to provide an audit trail that clearly shows consent being given, and for what. Without it, they could be in breach of GDPR.
There is also the area of automated processing, which has many businesses justifiably concerned. This is yet another law being absorbed into GDPR, but its full consequences are still uncertain. Essentially, it means that when individuals are “profiled” by an algorithm based on their personal data (such as an evaluation of their health, wealth or movements) the individual can demand that this action is performed by a person, and not an automated process or a machine. This might not sound like much, but in fields such as insurance, wealth management or even job applications, automation is becoming commonplace and heavily relied on, so this could present some serious problems.
Storage And Access Issues
Of course, that isn’t all that GDPR has changed. As well as putting even more security obligations on companies who are collecting personal data, GDPR also gives the individuals much more power to access the information held about them by companies. Under our current Data Protection Act, the Subject Access Request (SAR) section allows businesses to charge £10 to individuals to access the data held about them. But GDPR is scrapping this, allowing requests for personal information to be made free of charge and at any time. It also gives them the power to demand that the data be erased, known as ‘the right to be forgotten’, which applies in the following circumstances:
- The data is no longer necessary for the purpose it was collected for
- Consent is withdrawn
- There is no legitimate business interest in holding the data
- If the data was unlawfully possessed
Given this and the new consent rules, it is now more important than ever that businesses have a secure and manageable way to store their data. The first and most difficult challenge for many businesses will be knowing what personal data exists within their business, and then how to condense its storage into a single location for ease of access and deletion if requested.
How Can Tipac Help Manage Personal Data?
Thankfully, there are a few easy wins that will make compliance with GDPR a much simpler process. At Tipac, we provide businesses with tailored content management solutions that go well above and beyond the simple re-directing of files. As well as the productivity benefits, Tipac’s bespoke solutions provide a number of benefits to businesses striving for GDPR compliance, including full document life cycle management, logging of all document movement and access, secure access to documentation, single repository linking and digital signature and consent software, providing many businesses with all the tools and support they need to manage the storage of personal data. For more information, or to book your free demo, just get in touch with us today.