What You Need to Know: The General Data Protection Regulation
The first data protection laws were created in the 90s, and since then the amount of digital data that we create, share and store has vastly increased. This is why, in May 2018, the EU is bringing in the General Data Protection Regulation (GDPR); a new framework for data protection laws that have been created over the last four years.
There’s lots of discussion around how the GDPR will impact individuals as well as business. For individuals, the EU wants to give them more control over how their personal data is shared and used. They will have the right to access any information a company holds on them, as well as the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Individuals will also be able to ask for access to the data stored on them free of charge, and companies must generally respond within one month. The GDPR gives regulators the power to fine businesses that don’t comply with it. If an organisation has a security breach, doesn’t process data in the correct way or doesn’t have a data officer when one is required, it can be fined.
In order to prepare your business for the GDPR, The ICO has created a 12-step guide. To give you some idea of the types of changes happening, we’ve given you an overview of these steps below.
Make sure that the key decision makers in your organisation are aware of the changes.
2. Information you hold
You’ll need to document any information you currently hold, where it came from and who you share it with.
3. Communicating privacy information
Review your current privacy notices and put a plan in place for potentially amending these in time for GDPR implementation.
4. Individuals’ rights
Make sure that your current procedures cover all of the new rights individuals have.
5. Subject access requests
You may find your company gets more access requests, so it’s important that you consider the logistical implications of having to deal with requests more quickly.
6. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You’ll need to review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You may need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
11. Data Protection Officers
In some circumstances, you may need to designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
For more in-depth information take a look at the ICO 12-step guide or do one of their online checklists. Ultimately as a business, you need to ensure you are keeping people’s personal data secure. By doing this, you will not only enhance your business’s reputation but also increase customer and employee confidence.