If you conduct business with or use data about individuals who are European citizens the General Data Protection Regulation (GDPR) applies to you. From 25 May 2018 it updated and enhanced existing legislation to make sure both your business and your employees are transparent about how you use data. Discover the latest industry updates around GDPR, as well as more information on what it means for you and your business.
What is GDPR?
Learn more about what GDPR actually means and what’s covered by it, including personal and special category data.
The GDPR applies to you if you collect, store or handle personal and special category data about EU citizens, even if your place of business is outside of the EU:
- Personal data is any information about a person who can be identified by an identifier such as a name, identification number, location data, online identifier or through specific factors relating to their biological or social identity.
- Special category personal data reveals racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic, medical information or orientation. There are additional restrictions when processing these types of data.
Processing personal data must be lawful, fair and transparent, but how can you make sure you’re meeting these requirements?
Fundamentally you’re required to make sure you only use someone’s personal data if you’re transparent about what you’re doing with it and why and you aren’t doing so against their wishes, instructions or legal rights. Your business needs to have appropriate measures in place to protect personal data and to erase or provide copies of someone’s personal data if they ask you to.
You can only process personal data about a person if:-
- You have their consent; or
- The processing is necessary and you have given them a privacy notice.
How can I decide if processing is necessary?
If you’re doing it to:-
- Perform a contract with someone;
- Meet a legal obligation you’re subject to;
- Project the vital interests of someone;
- Take action in the public interest;
- You’re pursuing the legitimate interests of your business, as long as you’re not overriding someone’s fundamental rights such as their right to privacy.
If you’re processing special category data about someone you’ll normally need their explicit consent.
You can find out more about these requirements in our Loss Prevention Briefing below.
Latest News and Circulars
Further Guidance on the Implementation of GDPR
The purpose of this Circular is to provide Members, correspondents and others with further guidance on how to try and reduce the risk of a breach and advise you of some changes we will be making in how we handle personal data.