The GDPR law
The new Data Protection law known as GDPR comes into force today. You can read more about it below.
What is GDPR?
The General Data Protection Regulation or GDPR for short, brings the current Data Protection Act 1998 into the 21st century and expands on the rights of individuals to control their personal data.
In short, GDPR is a new EU approved regulation that will ensure businesses are collecting, using and holding your data securely.
Why is GDPR important?
GDPR is the largest piece of data regulation ever passed by the EU. For businesses large or small, GDPR means keeping tighter boundaries on information they hold, improving security awareness for protecting that data and ensuring any data shared is done appropriately.
Under the new regulations, there is a greater emphasis on ensuring that individuals are informed about how their data may be used and controlled.
Individuals are given greater rights to control their personal data which include:
• Individuals have the right of access to personal data through a process called ‘Subject Access Request’.
• In certain cases, individuals can request that their personal data is erased.
• Individuals have the right to move data from one service provider to another.
• Individuals have the right to have inaccurate information corrected.
The period for responding to a subject access request is 40 days.
Legitimate reason for holding a person’s data.
The GDPR requires us to conduct an assessment on the data we hold and obtain to ensure it fits within one of the lawful grounds for processing that data.
There are 2 main grounds that allow us to hold a person’s data:
1. Legitimate Interest
2. Obtaining consent
This is the most flexible basis for holding data. Our legitimate interest in holding the data is usually for
• the provision of support, education and guidance to our beneficiaries (HighGrounders),
• communication with our Friends of HighGround (FHG),
• raising awareness of the Charity
• provision of necessary information in order to secure funding and grant opportunities
We continue to have a legitimate interest in holding that data for the purposes of satisfying any legal, accounting, or reporting requirements.
The GDPR is clear that an indication of consent must be unambiguous and involve a clear opt-in. The new regulation specifically bans pre-ticked opt-in boxes.
• Consent must be freely given, specific, informed and unambiguous;
• Consent cannot be hidden in any small print;
• Opt-outs and pre-checked boxes are not allowed – pre-checked boxes do not qualify as consent;
• Companies must give the individual a clear way to withdraw consent;
• Organizations must be able to clearly show evidence of consent.
So, what do we mean by personal data?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier.
Whilst a name is probably not enough to identify an individual, once it is combined with other information (such as address, date of birth, place of work or telephone number) this will usually be sufficient to identify an individual.
A few examples of personal data:
• Service number
• Passport Number
• Mobile/Telephone number
• Email Address
• Regimental/Service Details
• Driving license Details
• Date of birth
Examples of sensitive personal data:
• Personal Health Data
• Racial / Ethnic origins
• Criminal Record Information
• Disclosure & Barring Service Information
Data Protection Principles
Personal data must be controlled or processed according to 6 data protection principles:
• Processed lawfully, fairly and in a transparent manner in relation to individuals Collected only for specific and legitimate purposes and not further process in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed
• Accurate and where necessary, kept up to date
• Data is only stored for as long as is necessary
• Processed in a manner that ensures appropriate security of personal data
Data Security and Breach Reporting
Under Article 33 of GDPR there is a legal obligation for charities to report significant data breaches to the Regulator. Personal data must be secured against accidental loss and unauthorised processing, and reported to the regulator within the set timescales.
• A charity must report a data breach to the Information Commissioners Office within 72 hours of discovery.
• Anyone impacted by a data breach must be told if there is a high risk to their rights of freedom e.g. their identity could be cloned.
How will GDPR change the way we work?
In order to comply with GDPR we have introduced new procedures for storing information, and updated our internal and external policies. A full schedule of policies can be found on the HighGround website.
Further GDPR information can be found at the Information Commissioners Office website
HighGround Data Protection Officer: Eunice Learmont.
HighGround Chairman: Air Commodore (rtd) Ian Elliott OBE BSc RAF