GDPR is certainly an important topic of conversation which shouldn’t be ignored. The new data regulations could result in tougher fines so now’s the time to get to grips with the GDPR. This blog post covers what it is, how it differs from the Data Protection Act, why you should pay attention and the first steps you can take towards being compliant.
GDPR stands for the General Data Protection Regulation and it relates to the rights of data subjects and making them aware of those rights. The main principles of the GDPR include:
With the new regulations, you now need to ensure that you tell people about how you use their data, be ready to help data subjects enforce their rights and be aware of who is helping you with your data. More specifically, this means that you’ll have to tell people:
GDPR is a European Law which will remain as UK legislation post-Brexit and most importantly, it comes into effect on the 25th May 2018 so don’t panic, you still have time to put preparations in place.
In the Data Protection Act 1998, data subjects have a number of rights and Data Controllers are responsible for acting in accordance with those rights. Data Controllers are not “at fault” until a data breach occurs.
On the other hand, the GDPR gives Data Controllers more responsibilities including advising data subjects of their rights, providing individuals with information relating to those rights and taking all appropriate steps to prevent a data breach from taking place.
The Data Protection Act 1998 will be superseded with the new regulations and ultimately, the key takeaway is that the GDPR gives people more control over what companies can do with their data and will result in more-costly fines for data breaches and non-compliance.
The GDPR is binding on anyone processing Personal Identifiable Information (PII) in the course of their business, which will apply to the majority of businesses.
In the most extreme cases, a business could be fined up to €20,000,000 or 4% of turnover by the Information Commissioners Office (ICO). That’s why it’s time to listen up and start taking action!
To get you on your way to being GDPR compliant, take a look at this list of actionable steps to put you on the right path.
Are there people within your organisation who need to know about the GDPR? Ensure that everyone in your business is aware of what the GDPR is and how it will impact them.
List when you are the Data Controller and/or a Data Processor and document what data you hold, where the data comes from and who you share it with.
If your business carries out cross-border processing, you should determine your lead data protection supervisory authority. You also need to ensure your contracts with Data Processors are GDPR compliant. It’s your responsibility to ensure they meet the regulation requirements.
Take a look over your policies and practices to ensure they comply with the new regulations and make sure you have the right procedures in place to deal with a data breach.
Do your current privacy notices explain how and why you’re using the subject’s data? When the GDPR comes into effect, you’ll be expected to have the appropriate notices in place.
You’ll need to review the legal basis for each category of data within your business. Remember to update your privacy policy to explain it too.
Individuals have many rights including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object and rights related to automated decision making. Do your procedures cover all of these rights?
It’s likely that there’s much more you’ll need to do to be 100% compliant by May but hopefully these 7 steps will help get you started.
Finally, our main piece of advice is to document your plans and processes because they should be taken into account in the event of a data breach.
We hope you’ve found this blog useful for getting to grips with the GDPR. If you’re interested in learning more about the GDPR from us, register your interest to receive any further educational content straight to your inbox