All businesses have a responsibility to protect people’s data and privacy. You are at risk of significant fines if you do not comply with new regulations coming into effect 25th May 2018.
General Data Protection Regulation (GDPR)
The new data protection law, GDPR comes into effect across the European Union on the 25th May 2018 and will affects most businesses. Regardless of Brexit the Government have confirmed their intention to bring the GDPR into UK law. This would replace the existing Data Protection Act.
‘If you are currently subject to the DPA [Data Protection Act], it is likely that you will also be subject to the GDPR.”
the Information Commissioner’s Office (ICO)
Why the change?
Given the massive amounts of data collected in this digital age, regulators are keen to give individuals more control over who can hold their information and how it can be used.
The potential of penalties for non-compliance of €20 million, or 4% of your business’ annual turnover (whichever is higher) make clear just how seriously you need to take these responsibilities.
We strongly recommend you start planning now to make sure your business is compliant.
11 Actions to Take Now
1. Spread Awareness
You should make sure that everyone in your organisation is aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Document the Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicate privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Review individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements.
5. Plan for access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Establish a lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Seek Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
8. Plan for Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
9. Data Protection by Design and Privacy Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments and work out how and when to implement them in your organisation.
10. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.
The information given here is based upon guidance from the Information Commissioner’s Office (ICO). Davis Grant is not an expert in data protection.