What does it mean?

Businesses will now need to document, be able to demonstrate and be accountable for communicating and ensuring Privacy, Fair Usage and Security of Personal Data.

Those individuals about whom you collect and used data will have new rights in addition to updated rights from previous legislation.

A significant change introduced is the scope of "Personal Data", which now encompasses and data that can identify an Individual Living Person, be that person a consumer, customer, employee, supplier or otherwise.

Put simply, businesses no longer "own" the data they collect, GDPR gives back control of Personal Data to the individuals that it belongs to who will in turn grant businesses permission to use it for specific purposes.

How Xynics can help

XYNICS CAN OFFER A RANGE OF SERVICES AND ASSISTANCE FOR GDPR COMPLIANCE

For many businesses who are already compliant with The Data Protection Act 1998 and the Privacy & Electronic Communications Regulations (EC Directive) 2003, much of the GDPR will already be in place.

In addition to our own experts we partner with a number of GDPR professionals who can help you by:

  • Advising on how GDPR may apply within your business
  • Undertaking "Discovery" to ascertain what data your business holds and how it is used
  • Helping you to document your business data flows and procedures
  • Guiding you on implementing new GDPR compliant procedures and data activities
  • Working with you to draft new Privacy Statements and Consent Mechanisms

Need a toolkit of Documents, Checklists, GAP Assessment, Forms and Examples to help you along on the road to GDPR compliance?

The toolkit contains template documents and checklists and entitles you to 12 months of updates and support, to help you update your policies and procedures to achieve GDPR compliance quickly.

Normally £395+vat, take advantage of our partnership with CertiKit and get 10% off by entering the code "XYNICS10" at the checkout.

Buy the Toolkit

Remember, enter the code “XYNICS10” at the checkout to get 10% off!

  • At the most basic level, Personal Data is any data that can identify a Living Individual Person.

    Examples quoted in the legislation are: Names, Addresses, Emails, Phone Numbers, Social Media Posts, DNA, Photographs, CCTV images and Account Numbers to name a few.

    Under GDPR, even a single data item such as a name can be classified as Personally Identifiable if, you or any other person, could reasonably identify that single individual.

  • For most you will need to update your documentation and ensure business processes are compatible with the GDPR.

    A core change is the need to be able to demonstrate either, a lawful reason for processing (of which there are a few), or that you have been given explicit and informed consent to process the data by the individual concerned.

    For each data processing activity you will need to document and demonstrate; The reason for processing, what data you collect, the necessity and relevance of that data, how long you intend to retain it in an identifiable form and the lawful basis you rely upon to collect, use, store and/or share that data.

    The GDPR can impact your business in almost all areas including HR, Finance, Sales, Marketing and IT. Provisions are available however to ensure that the GDPR is not designed to make running your business difficult

  • Individuals have had rights under the Privacy & Electronic Communications Regulations and the Data Protection Act for many years however most of those rights date from a time when data was largely in physical form, card files and filing cabinets.

    GDPR acknowledges the digital age and extends those rights as well as introducing new ones. A few of the key changes are;

    • Rights of Access to data are changing, you can no longer charge for a Subject Access Request.
    • A right to Data Portability is introduced, Individuals can require you to transfer data you hold to them, or directly to another nominated party.
    • Rights on restriction of processing or to prevent processing are updated.

  • There is no disputing that it has been well publicised that under the new GDPR, the penalties for non-compliance are potentially high, up to €20 million or 4% of annual Global Turnover. Unfortunately the media and some less moral organisations might use this as a scare-tactic to draw people in.

    The GDPR is not meant, or designed to be a noose around the necks of business. It is not designed to making doing business more difficult and for the most part it is not aiming to levying heavy financial penalties for non-compliance.
    The GDPR is designed to ensure proper control, privacy and security of the Personal Data of individuals about whom businesses collect, use, store and/or share data.

    The Supervisory Authorities (in the UK the Information Commissioner) are not going to hit businesses with massive fines if they have not already received guidance on their practices, unless such practices are deemed to be so severe, that any reasonable person would consider that the organisation concerned was grossly negligent in its actions or inaction.

 

Legal Basis for Processing

The GDPR provide six "Lawful Conditions of Processing" from which your business must choose one for each Data Processing Activity.  You must not rely on one lawful basis and then rely upon another should the circumstances of processing change, such as an Opt Out or request to cease processing from the Individual.


THE PROCESSING IS NECESSARY FOR A LEGITIMATE INTEREST.

THE PROCESSING IS NECESSARY FOR A TASK CARRIED OUT IN THE PUBLIC INTEREST.
THE PROCESSING IS NECESSARY TO PROTECT THE VITAL INTERESTS OF THE INDIVIDUAL OR ANOTHER PERSON.
THE PROCESSING IS NECESSARY FOR COMPLIANCE WITH A LEGAL OBLIGATION.
THE PROCESSING IS NECESSARY FOR THE PERFORMANCE OF A CONTRACT.
THE PROCESSING IS PERFORMED WITH EXPLICIT INFORMED CONSENT FROM THE INDIVIDUAL(s)

What are Special Categories of Data

The processing of "Special Categories of Data" falls under one of ten specific grounds for processing, the first and foremost of which is explicit consent from the Individual(s) about whom you collect that data.

Special Categories are defined in the legislation as personal data that reveals;

  • Family, Lifestyle or Social Data
  • Data concerning a persons Physical or Mental Health
  • Education, Employment or Financial Data
  • Racial or Ethnic Origin, Political Opinions, Religious or Philosophical Beliefs
  • Trade Union Membership Data
  • The processing of Genetic Data or Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning a natural person’s sex life or sexual orientation shall be prohibited
  • Data concerning Criminal Proceedings, Offences or Outcomes.

The only exceptions to this is where that data is made publicly available by the individual concerned.

 

 

iStock_000026112003Small

GDPR Resources

The Data Protection Advice Hub - Coming Soon
A website being developed by Xynics in partnership with other professionals to enable the business community to share real-life Personal Data scenarios and receive guidance on how GDPR applies to them.

The Information Commissioners Office
Many useful pages from the ICO to help businesses understand the legal framework that its GDPR.

The General Data Protection Regulation - Text
For those who are interested, this PDF document outlines all 173 Recitals and 99 Articles that make up the legislation.

Events

The General Data Protection Regulation - Open Workshop
Date:   14th November 2017
Time:  2pm.  Arrive any time from 1:30pm to meet and mingle with fellow attendees
Duration:   2 Hours
Location:   Large Meeting Room, Newton House, Northampton Science Park.

This is the first of a series of workshops designed to help fellow businesses to ascertain how GDPR might affect them as well as for Xynics to gather some anonymised real-life scenarios to publish on our new Data Protection Advice Hub portal that is in development for public release by the end of November 2017.

The workshop will start with a short overview of what GDPR is and what it means.
Afterwards, there will be an open table discussion where you can present your own real-life Personal Data scenarios and receive back guidance on how the GDPR would apply to that scenario.

Click here to register to attend this or other events

How we user cookies:
To help us ensure our website delivers you the best browsing experience this website uses cookies.
To find out more about Cookies, how we use them and how to change your settings, please review our
Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close