General Data Protection Regulation - GDPR

On May 25th 2018 the new data protection reforms will take effect, and many people want to know how it will affect them.

The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The ICO (Information Commissioners Office) have published a number of really helpful guides, and checklists.

Here’s the link to the ‘Getting ready for the GDPR checklist’:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

There is also the ’12 steps to take now’ guide here:

https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf

The ICO are aiming to provide a suite of data protection guidance that is as comprehensive as possible by May 2018, so it’s worth visiting their site to keep up to date as things move forward. https://ico.org.uk/

How the GDPR might affect your business

When you record a person’s details you are recording data, there are some rules that you may need to know:

Lawful Basis for Processing

Data can only be processed if there is at least one lawful basis to do so. The lawful basis for processing data are:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Source: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Your rights to YOUR data under GDPR

Do you want to know your rights to any data that is held on you after the GDPR comes into effect on May 25^th 2018, the ICO has published a guide under ‘Individuals Rights’, the link is here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-of-access/

 On a final note, The ICO have published a data protection self-assessment toolkit.

“Use our checklists to assess your compliance with the Data Protection Act and find out what you need to do.

Good information handling makes good business sense, and provides a range of benefits. You'll enhance your business's reputation, increase customer and employee confidence, and by ensuring that personal information is accurate, relevant and safe, save both time and money”.

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/

We hope our clients find some of this information useful, and we will update this post as more information becomes available.

GDPR and Record Keeping

We have received a number of requests from clients regarding record keeping in light of the new General Data Protection Regulation (GDPR) which is due to come into effect on 25^th May 2018. This is something that we  are currently working on to get a definitive stance. 

 Currently in our policy wording notes: -

The records shall be kept for at least 7 years following the last occasion on which treatment was given.  In the case of treatment to minors, it is advisable that records should be kept or at least 7 years after they reach the age of majority (18). 

                                                                                                  Record Keeping - Condition 14 c, on page 35

The Statute of Limitations in the UK (i.e. time when an individual is able to bring a claim) is 6 years for certain injury claim situations, or 6 years after the individual reaches the age of majority in the case of minors, hence our policy conditions.  Your records are your best line of defence in any claim situation hence the need to keep the records for at least this long, and there are provisions under the GDPR with regards to keeping records to defend yourself in a claim situation (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/  - When can I refuse to comply with the right of erasure). 

It is likely that our policy wording following GDPR will keep in line with the above, however we are waiting for further clarification from our Insurance partners regarding this. We will ensure that we write to all clients as soon as we have had confirmation and in good time for them to comply with GDPR.

The information above is provided as guidance only and is not exhaustive. It does not supersede, amend or negate the provisions of the GDPR or any other applicable data protection legislation. For more detailed or specific guidance please refer to: www.ico.org.uk