Data backup legislation – it’s a minefield and it’s changing again in May 2018 when the EU GDPR (General Data Protection Regulation) comes into effect.
The essence of the GDPR is clearly on ensuring sensitive data is only gathered and available for the purposes for which is was intended; is not made available to other parties and is kept only as long as is necessary. In reality, much of the existing Data Protection Act (DPA) is included in the GDPR. However there are several new caveats of which you should be aware.
The DPA states that whenever an individual’s data is collected they must be provided with the identity doing the collecting and how their data will be used. Under the GDPR, individuals will need to be informed of the period of time their data will be held for, and the legal basis under which the information is being processed. Updating all your privacy notices to convey this additional information is essential.
Individual’s Data Rights
The DPA states that all individuals must be informed of how their data will be used and by whom, and they have the right to object against its use and change any records they deem inaccurate. The GDPR affords the same rights but has two other specific instances – the right to be forgotten and the right to data portability. To comply with GDPR you must be able to safely and securely dispose of an individual’s personal information in its entirety and must have the capability to transfer information to another data controller, over a secure network, in a frequently used format. With Replicate Data, the right to be forgotten is no problem and we can give advice on transferring information if required.
Subject Access Requests
A Subject Access Request refers to a written request made by an individual, or on behalf of an individual, for the information held on them by an organisation. The DPA states that organisations can charge individuals when complying with these requests and gives them 40 days to comply. The GDPR is changing this considerably. In most cases organisations will have to respond to every application within a month and won’t be able to charge individuals when actioning these requests. To achieve compliance you will need to have policies and procedures in place to handle requests within the new timescales.
When gathering personal data it is essential to ensure that the information is obtained in a manner whereby consent is freely given. Under the GDPR, you must be able to demonstrate that consent was provided; pre-ticked check boxes and inactivity do not count.
Personal Data for Children
There is a new clause about Personal Data for Children. Under this legislation the collection, storing and processing of any information about a child is expressly prohibited except in those situations where parents/guardians have provided consent. In this case, a child refers to a person below 16 years of age, although EU member states do have the power to reduce this to a maximum age of 13. To achieve compliance, the child’s age must be verified and, if necessary, the relevant parental/guardian consent obtained.
GDPR is not just about IT
Every organisation that handles pesonal information must comply with this new legislation. It is much more than just an IT issue – every member of your team needs to be aware of the new rules and implications of gathering personal information from your customers.
Using Replicate Data helps you form the basis of a technical compliance strategy. We provide a robust automated data backup solution where data is military grade encrypted, both at rest and in transit, and is stored securely within multiple UK based data centres. Your confidential customer/staff/pupil records are safe and secure with us. We retain data in accordance with your specific requirements and are GDPR compliant ready.
The Information Commissioner’s Office offers a self-assessment online toolkit to give you more information on compliance.