Here is an informal snapshot of what the GDPR (General Data Protection Regulation) requires from everyone concerned from 25 May 2018:
If you receive personal data from an organisation such as Radian, the law expects you to look after it carefully, whether it’s on paper or digital form (laptop, USB stick, cloud storage…). You should keep it no longer than needed for the job, making sure that guarantees, invoices and the like are securely archived. You can pass on personal data to a subcontractor only with Radian’s written permission, remembering that your sub contractor must follow the same rules. If you suspect loss or theft, you should notify Radian as soon as you can.
Broadly, the new legislation confirms what would already have been best practice required under existing law, while responding to changes in technology over the last 20 years. A significant addition is the principle of joint responsibility for safekeeping shared personal data, with higher penalties for failure to do so.
For more detailed information, we strongly encourage you to check directly with the ICO (Information Commissioner’s Office). The ICO website includes a section for smaller businesses with a checklist. You can also find guidance for specific situations here, for example concerning children, health records or CCTV.
This means any information relating to an individual person that could identify them directly or indirectly. Typical examples include name, address, phone, email, and certain reference numbers. It may extend to ‘sensitive’ data relating to individuals, such as medical conditions.
The GDPR applies to both computer- or cloud-based personal data and to manual filing systems. It sometimes includes personal data within business-to-business contacts.
These could include staff, tenants and their family members or carers, attendees at an event or training session, and any other individuals where personal details are needed for a justifiable reason, for example to carry out a service in an individual property. GDPR gives data subjects greater rights over consent, sight of, and correction of their personal data.
Briefly, Controllers (for example Radian) determine what personal data that they hold needs to be shared, for what purpose and for how long. GDPR also places further obligations on controllers to ensure that contracts with processors (including sub-contractors) are compliant.
Processors (for example a Radian supplier) are responsible for processing (handling, referring to and securely storing) personal data on behalf of a controller. This could include receiving and holding the details needed to carry out a particular job, and retaining some or all of it on invoices or guarantees in a secure archive for a reasonable period. Among other legal obligations, you are required to maintain records of such personal data and processing activities. You will be legally liable if you are responsible for a ‘data breach’ (loss or theft).
Sole traders as well as organisations of any kind may be processors.
The GDPR does not apply to certain activities including law enforcement and national security, or processing carried out by individuals purely for personal or household activities.
With GDPR, registration under the Data Protection Act 1998 is now replaced by an annual ICO registration. Existing DPA registrations remain valid for their full year.
For general queries about data protection at Radian, or to report a data breach, please email firstname.lastname@example.org.
For further information, please see the ICO website including the link given above, or call their helpline: 0303 123 1113.