GDPR, DATA PROTECTION ACT 2018, FREEDOM OF INFORMATION ACT 2000 – ADAVISTA CAN GUIDE YOU THROUGH IT
DATA PROTECTION – personal information about individuals collected, held and processed in a “business” context and legislation providing:
a) A framework for organisations to adhere to
So that
b) Individuals can “see” that organisations are handling their data appropriately. They can have access to that information and trust the organisation to respect the data and keep it securely.
HOW CAN WE HELP?
We can provide assistance in two ways:
1 – Ensure your business / organisation is compliant with the UK legislation, including UK GDPR.
Effectively, this means having appropriately – worded documentation in place. This should be short, and NOT in “legal speak”. The Information Commissioner’s Office (ICO) has produced reams of guidance on the documentation. See below for the requirements which we utilise on your behalf.
You “need”:
1 – a Privacy Notice. This used to be called a “Privacy Policy” and is required whether or not you have a website. The website is the expected place for publication.
2 – “short” Privacy Notices – on forms (paper or electronic) and email footers.
3 – Accountability Document. This is not published but can be requested to “prove” transparency and that security has been considered and documented.
4 – Subject Access Request Procedure. Anyone, including you, can request a copy of the personal information held on you at any time. The ICO expect to see a documented procedure in place should anyone complain to them about your handling of their data. (and this can happen!)
Please get in touch if you would like to discuss your requirements and then we can give you a very reasonable quote.
If you process data electronically in your business – email etc – then you are expected to “register” with the ICO. This is under the “Data Protection Fees Regulations 2018”.
2 – Make a Subject Access Request:
As we have stated above, anyone can make a “Subject Access Request” on any organisation for a copy of the personal information they may be holding and processing about themselves. You can only make such a request about yourself, not even a close family member unless there are specific circumstances.
We can help you with the process and make the request on your behalf. When the information comes through, we can help you to assess if there is anything missing that should be there.
PLEASE NOTE: there are no guarantees as to what information we will receive, and in some circumstances, the organisation is not obliged to give any data at all. This is, though, very rare, and indeed organisations often are obliged to hand over more information than they would actually like to do.
If you believe this could be useful to you and would like to find out more, please get in touch and we can discuss your requirements and give you a very reasonable quote.
None of the above should cost you thousands of pounds to put in place!
DATA PROTECTION BACKGROUND
Firstly we had the Data Protection Act 1984 – which was all about electronic data and keeping it securely.
Then came the Data Protection Act 1998 – more structure was added. This is UK legislation to put in place the concepts from the EU Directive in 1995. This Act “covered”:
- Electronic and manual data (in a structured format).
- Penalties for not having the appropriate technical or organisational measures in place.
- Rights for the data subject – including but not exclusively access to information; to request a copy of the data and legal redress for any adverse actions.
NOW – we have the implementation of the General Data Protection Regulation (GDPR – Abridged) and the Data Protection Act 2018 from 25th May 2018. If you are already compliant with the DPA 98, then “upgrading” to GDPR compliance means additional policies and information within existing policies; taking privacy into your organisation by “privacy by design”; be more transparent by being “accountable”.
Do you need someone’s specific consent to process their data ? Highly Unlikely!
SO – if you want to find out more, why not get in touch!
We can explain how we utilise the Information Commissioner’s Office (ICO- supervisory authority) Guidance to tailor Privacy Notices to your organisation.
If you process data electronically – email, website, on smart phone, tablet, laptop, desktop etc – then you MUST pay the fee to the ICO – it’s a fixed penalty if you don’t!
We can explain how you do not need to change any of your existing processes but can utilise this legislation to make things more efficient and improve your processes.