How GDPR affects the personal data you hold

In the second part of the GDPR blog series we’re covering how GDPR affects the personal data you collect and how you store it. You can read our GDPR blog series by following the links below:

Read our GDPR blog series:

  1. The General Data Protection Regulation – An introduction to GDPR
  2. How the GDPR affects the personal data you hold
  3. Plan how you need to change ahead of GDPR implementation
  4. How GDPR gives rights to individuals and their data
  5. What is your lawful basis for processing data
  6. GDPR gives you a duty prevent and report data breaches

GDPR and the personal data you hold

A key part of GDPR compliance relates to a person’s right to be forgotten. Any data that can be deemed as ‘personally identifiable’ such as names, date of birth and contact information, and more modern data such as IP addresses, cookies and biometric data, will be governed by the new laws.

From 25th May 2018 GDPR comes into effect and will bring with it the biggest shake up of data protection laws in 20 years. By its introduction you should have documented how you gathered and use all personal data that you hold, including who you’ve shared / will share it with.

The right to be forgotten

Individuals will have the right to request you delete their information without “undue delay”. There is a new emphasis on people’s right to be forgotten which will place big importance on your business having clear procedures in place on how you both retain and deal with all personal data. People will also be able to request that you change or update their information. In this instance you will also be responsible for informing anyone you’ve shared it with to do the same, so accurate documentation and recording is vital.

Consent and usage rules

Along with updates to what actually constitutes personal data, one of the biggest changes is centred around consent. The current Data Protection Act allows businesses to operate an ‘opt out’ process where personal data can be added to a list unless the individual has specifically declared it can’t. With GDPR you must have a clear lawful basis or explicit consent for data to be stored and what it will be used for.

Plus, any data that you do store can only be done so for an amount of time necessary for the particular purpose, and you should be able to provide a copy of the data you store if the individual requests it. Many larger organisations are facing real challenges both identifying what type of data they hold, and in fact where various bits are stored.

For smaller businesses a simple way of monitoring if you’re using data correctly is asking the question: “What was the reason for gathering this data and are we still using it for the reason we were given consent for?”. If you can’t fully answer this question or think you’ve mis-managed the data then you’re not complying with GDPR rules.

For larger businesses to ensure compliance they may need to re-request consent from individuals once they have the necessary processes in place, for others it will mean having to strictly document how and why you hold any individual’s information. If it is no longer necessary to hold the information for the consented purpose, it should be erased.