GDPR and the treatment of personal data

By Mark Greenwood SimplyBiz Group Regulatory Policy Manager

Data protection has become more important than ever before with the impending implementation of GDPR in the UK on 25^th May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the implementation of GDPR in this country.

GDPR is designed to reinforce an individual’s right to take control of their own data and lays down rules relating to the protection of natural persons regarding the processing of personal data.

Every company and organisation who handles personal data that would allow a living EU individual to be identified is affected by GDPR.

GDPR requires that personal data shall be:

• Purchased lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
• Accurate and up to date
• Kept in a form which permits identification of data subjects for no longer than is necessary for the reason for which the personal data is processed
• Processed in a manner that ensures appropriate security of personal data

GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the Data Protection Act i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf.

GDPR will place specific legal obligations on your firm. For example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach.

As a result of the importance of this regulation, we will be issuing a series of GDPR bulletins which will be made available to FIBA in the coming weeks and months.