General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new EU regulation which will come into force on 25th May 2018. Building on the 1995 EU Data Protection Directive (DPD), which it will replace, the GDPR aims to improve protection of EU citizens’ personal data. This will be done by increasing the rights of data subjects, raising the obligations of businesses who collate and process personal data, and putting into place tougher penalties for anyone found to be breaking these new laws.
A lot of questions have been raised around the relevance of GDPR when Brexit is implemented. But Brexit has no effect on the need for UK businesses to comply with GDPR. The UK Government published the draft Data Protection Bill 2017 in September 2017, and this brings into UK law all of GDPR and alters some key parts on things like the age of minors included. There are no material changes or exclusions from the full EU version and so no time should be lost in starting the journey to GDPR compliance.
Data protection principles
The previous law (the 1995 EU Data Protection Directive) set out the eight data protection principles which organisations have been using to govern how they collect, use and store personal data for more than two decades. The new legislation (GDPR) expands these existing principles. The principles are:
- Obtain and process the personal data fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of their personal data to any individual on request
What has changed?
An EU directive (like the previous law) sets out a goal that all EU countries must achieve, but the EU leaves it up to individual countries to devise their own laws to help them meet the stated goal. By contrast, an EU regulation – like the GDPR – is a binding law which applies to all EU member states in its entirety.
There have also been a number of changes made to the existing law under the GDPR. The most important changes to the EU law on data protection that the new GDPR will make for individuals’ rights are listed below:
- Sensitive data will include genetic and biometric data.
- People must give explicit consent for their data to be transferred outside the EEA.
- A new “right of portability” allows someone to request their data be sent from one provider to another.
- Conducting criminal record checks on employees must be justified by law.
- Supervisory authorities (like ico in the uk) can issue fines up to 4% of global annual turnover for data breaches.
- A new “right to be forgotten” could allow someone to request that online content is removed.
- Consent will be harder to get and can be withdrawn at any time.
- The use of personal data must comply with six data protection principles.
- High risk data projects will require a privacy impact assessment and consultation with supervisory authority.
- Larger companies will be required to appoint a data protection officer.
Way2Work’s GDPR Commitment
As we approach May 25th 2018, Way2Work is focused on GDPR compliance efforts. During this implementation period we are continually evaluating new requirements and restrictions imposed by the GDPR and will take any necessary actions to ensure that we handle customer data in compliance with the applicable law by the deadline. We’ll be keeping this page updated and sharing content over the coming months on the changes to our terms and operations that we are implementing.
At Way2Work, we strive to deliver an excellent learning experience, earning the trust of our learners and employers we work with. We will continue to make additional required operational changes resulting from the new legislation, and will keep our learners, employers, partners and regulatory authorities informed throughout this process. Classroom based training has been delivered for operational staff and all staff are taking an online GDPR training course to ensure Way2Work become fully GDPR compliant.
A copy of our latest privacy notice and GDPR policy is available here: W2W Privacy and GDPR Policy V1 May 2018 (App Form Doc).