What is GDPR?
The GDPR is the new framework for data protection laws for businesses in the EU replacing the previous directive and the current law the UK is based upon. After four years of discussion and negotiation, it was adopted by both the European Parliament and the European Council.
When will it take effect?
It will come into force on May 25, 2018 after a two year preparation period for businesses and public bodies to prepare for the change.
Who will enforce the GDPR?
The GDPR changes will be enforced by the Information Commissioner’s Office. The ICO will be able to fine businesses that do not comply with it.
How can you breach GDPR?
One of the biggest and most talked about aspects of the GDPR is understanding how your business may be able to breach the GDPR. Here are some examples of how your business may be fined:
- If you do not process an individual’s data in the correct way.
- If you require a data protection officer and do not have one in place.
- If there is a security breach and individuals data is at risk.
- Failing to report the ‘destruction, loss, alteration, unauthorised disclosure, or access to”peoples data ” to the countries data protection regulator.
- Failing to have documented reason for processing peoples information or having their consent.
- Not being able to provide data to subjects when requested.
Steps to take for your business
- Awareness – Decision makers in the organisation should be made aware of the impact that is likely to occur from the changes in the law.
- Information you hold – Have a look at what personal data you hold and document it, look at where it came from and who you share with it. A good start is an information audit.
- Privacy Information – Make changes to your privacy notices in accordance with how you communicate privacy information.
- Rights of Individuals – Does your procedure cover all the rights individuals have, including how you would delete personal data?
- Subject Access Requests – Plan how you will handle requests within the new timescales and provide additional information.
- Identify and Document – You should identify the lawful basis for your processing. Document it and update your privacy notice.
- Consent – Refresh your consent and review how you seek consent. Consent should be clear, recorded and well managed.
- Children – You need to think about systems to verify individuals age and if your business processes data for children then you will need parent/guardian consent.
- Report a breach- You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data protection Officers – It is ideal to designate someone within your organisation the Data protection officer role specifically to maintain and assess data protection compliance.
- International – If your organisation operates in more than one EU member state you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
If you require further information about GDPR make sure you check out the ICO website for more information on how to prepare for GDPR.