GDPR may not be fresh news anymore, but there is still confusion over what it covers. Read on to uncover the meaning of GDPR and how GDPR compliance affects your record keeping.
In 2018, the Data Protection Act was updated to incorporate GDPR. Compliance is mandatory, with heavy fines in place for businesses that are not compliant with the regulations. But although much ink has been spent outlining how the GDPR impacts UK and European businesses, there is still ongoing confusion. This is a mistake that could have costly repercussions. Understanding UK GDPR and how this affects your records management is therefore key, so we have put together the following helpful information.
What does GDPR stand for?
GDPR is an abbreviation of the General Data Protection Regulation, and it was designed to redefine how our personal data is managed.
What is GDPR?
GDPR is an EU directive that established a new set of data protection principles and rights. GDPR applies to all organisations of all sizes that process personal data in physical or digital form.
‘Personal data’ is any information that can be used to identify someone. For instance:
- Names
- Addresses
- Email Addresses
- Location data, such as an IP address
It also includes ‘special categories’ of personal data, such as:
- Race and ethnicity
- Sexual orientation
- Health data
- Biometric data
- Criminal convictions and offences
When did GDPR come into force?
GDPR came into effect in the European Union in spring 2018. It was then introduced into UK law via an update to existing legislation. This became the Data Protection Act 2018.
An important element in the GDPR is a focus on ensuring that companies, businesses and organisations of all sizes do not keep data on their clients any longer than necessary. While the old UK Data Protection Act gave some attention to this concern, the Europe-wide regulations have a much bigger focus on this – with a stringent level of fines for those who don’t take this seriously.
How many principles apply to the GDPR?
There are 7 principles of GDPR. These principles are:
- Lawfulness, fairness and transparency: This refers to the reasoning behind the collection of personal data. The GDPR gives 6 reasons that may be used to gather and process personal data. You must comply with at least one of them in order to be compliant. These reasons include to fulfil a contract, meet a legal obligation or protect a life.
- Purpose limitation: This principle means that your subjects must understand why they are giving you their personal information and what you intend to do with it.
- Data minimisation: You must collect the minimum amount of data needed to meet your organisation’s needs.
- Accuracy: To meet this principle, you must have processes in place to keep data accurate. Your subjects will be able to request that wrong data is corrected.
- Storage limitation: A key principle is that you must only keep data for as long as necessary. A timeframe isn’t specified by the GDPR, so it must be established by your organisation at the time the data is collected. (Remember that other UK laws may dictate this).
- Integrity and confidentiality: Data must be processed securely to avoid a breach. This doesn’t just refer to cyber-attacks. Your organisation must also protect physical forms of data. This includes limiting access to it to authorised persons and having a process of recovery in place.
- Accountability: The final principle means that those who process and control the data have a responsibility towards it and must comply with the other principles.
What is the maximum fine for a GDPR breach?
There are two tiers of penalties for GDPR breaches.
The standard maximum penalty is £8.7 million or 2% of the organisation’s total annual global turnover in the previous financial year, whichever is higher.
There is also a higher tier of penalty for more serious infringements. This tops out at £17.5 million or 4% of your global annual turnover.
Complying with GDPR: your record-keeping
As the GDPR principles demonstrate, GDPR compliance places a great deal of responsibility upon organisations that hold personal data. And staying on top of your record-keeping is an essential component of this.
For those who don’t operate an information management system at present, it’s a good idea to think about how long you need to keep your stored data for. You will also need to work out proper review and destruction dates.
However, there is an easy way to handle your secure information management problems.
As specialist providers of secure information management and storage, Archive-Vault is at the forefront of ensuring that clients’ records are fully GDPR compliant.
We have years of professional experience in handling the storage of paper records and electronic documents, as well as a host of other data storage mediums. In addition, we offer a full data management service. This will introduce a smart, easily accessible system to your business to allow you to efficiently store data and retrieve it quickly when needed.
If you’d like more information on how we can help, get in touch with us today. Simply call 01603 720722 or email us on info@archive-vault.co.uk now for a friendly, professional data management and storage service you can trust.
