Transport Training Academy
Call our expert team now
0845 056 0561
TwitterFacebookLinkedin

Is your business GPDR ready?

Did you know the General Data Protection Regulation (GDPR) comes into force on 25 May 2018: 2 years after the regulation was introduced in April 2016? Why is this important? Well, it’s important because non-compliance with the new data protection regulation could potentially lead to an administrative fine of up to €20 million, or up to 4 per cent of annual turnover. That’s what makes it so critical. So the fact is, if GDPR is not already high on your agenda, then it definitely should be. It’s certainly high on TTA’s.

Who does the General Data Protection Regulation apply to?

  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. However, the GDPR does not apply to certain defined activities, such as those already covered by the Law Enforcement Directive, processing carried out for national security purposes and processing carried out for personal activities.
  • The new GDPR rule applies to both ‘controllers’ and ‘processors’: that is, those who determine the purpose and means of processing personal data, and those responsible for processing data on behalf of the controller.
  • The new GDPR rule places specific legal obligations on data processors who are required to maintain and process personal data records. From 25th May, processors will be legally liable if they are responsible for a data breach. (Controllers will also share this legal liability if they do not ensure that their contracted processors comply with the regulations.)

What information does GDPR apply to?

Personal data

  • The GDPR applies to the personal data and information, both automated and manually handled, of anyone who can be identified directly or indirectly by reference to an ‘identifier’. The regulation provides a wide range of definitions about what exactly constitutes an ‘identifier’ for personal information purposes, but includes name, identification number, location data or online identifier.
  • It’s worth noting that even personal data that has been ‘pseudonymised’ or key-coded, can also fall within the scope of GDPR if it is possible to attribute the pseudonym to a particular individual.

Sensitive data

  • Article 9 of the GDPR refers to sensitive personal data as “special categories of personal data.” These ‘special’ categories specifically relate to information which when processed can uniquely identify individuals; information such as genetic data and biometric data. [Personal data relating to criminal convictions and offences are not included in the regulation, but similar extra safeguards apply to its processing in Article 10.]

What does the GDPR say?

The GDPR data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

  • ‘processed lawfully, fairly and in a transparent manner in relation to individuals.’
  • ‘collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.’
  • ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’
  • ‘accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.’
  • ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and’
  • ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

Article 5(2) also requires that:

  • ‘the controller shall be responsible for, and be able to demonstrate, compliance with the principles.’

Does GDPR apply to your business?

If you are unsure whether your business should be processing specific personal data, or are unclear what information your company should be processing, the Information Commissioner’s Office has provided the following checklist which you may find helpful:

☐ We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.

☐ We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.

☐ We have documented our decision on which lawful basis applies to help us demonstrate compliance.

☐ We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.

☐ Where we process special category data, we have also identified a condition for processing special category data, and have documented this.

☐ Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.

 

Celebrate TTA's Latest success stories...

Anthony Roscoe

B+E

Well Done to Anthony Roscoe for passing his B+E with us on 17th October 2018. Congratulations from all at #TTA

Jack Quayle

C+E

Well Done to Jack Quayle for passing his C+E with us on 12th October 2018. Congratulations from all at #TTA

Paul Hilton

Paul Hilton

Well Done to Paul Hilton for passing his B+E with us on 10th October 2018. Congratulations from all at #TTA

Phil Booth

B+E

Well Done to Phil Booth for passing his B+E with us on 10th October 2018. Congratulations from all at #TTA

Ceiran Castle

c1

Well Done to Ceiran Castle for passing his C1 with us on 3rd October 2018. Congratulations from all at #TTA

Please enter your name and email address to download a copy of our training brochure.

Your Name (required)

Your Email (required)

Please enter your name and email address to download a copy of our training brochure.

Your Name (required)

Your Email (required)