With just over four months until the new General Data Protection Regulation (GDPR) law comes into force, now is the time more than ever to think about how compliant you are.
Before you dive right into seeing what documents you have and locking it all up, it is first good to get an understanding of what the new law is.
What is GDPR?
In short, GDPR is a new EU directive on how businesses that operate within the EU store, collect and protect personal data, meaning any information that can be used to identify an individual, either directly or indirectly.
The law will come into effect on 25th May 2018, at which point there will also be a replacement Data Protection Act (DPA). While the two laws are similar when it comes to concepts and principle, the execution of the two are different and failure to comply to GDPR can result in fines of up to €20million or 4% of the worldwide annual income.
Differences between GDPR and DPA?
There are many differences between the GDPR and DPA, with the main difference being GDPR regulations are a lot stricter in comparison to DPA, and individuals have more say over their personal information.
Below are a few of the main differences:
- Enforcement – DPA is enforced by the Information Commissioners Officer (ICO), whereas GDPR will be observed by a Supervisory Authority, with each EU state having their own.
- Data Breaches – under DPA, a business has no obligation to report a data breach. Under GDPR, a business will have to report it to their Supervisory Authority within 72 hours
- Data Removal – Under DPA, there is no requirement for an organisation to remove information they have on an individual, however under GDRP, an individual has the right to ask for all information, including web records, to be permanently deleted
- Individual Opt-in – data collection currently doesn’t require opt-in, however under GDPR, individuals must have the option to opt-in whenever data is collected and there must be clear privacy
According to ICO, these are the 12 steps you need to take now in order to prepare for GDPR (full information of the checklist can be found here):
- Awareness – make sure that decision makers and key people in your business are aware that the law is changing to the GDPR
- Information you hold – document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit
- Communication privacy inform – review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation
- Individuals rights – check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in commonly used format
- Subject access requests – update your procedures and plan how you will handle requests within the new timescales and provide any additional information
- Lawful basis for processing personal data – identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
- Consent – review how you seek, record and manage consent and whether your need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard
- Children – start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity
- Data breaches – make sure you have the right procedures in place to detect, report and investigate a personal data breach
- Data Protection by Design and Data Protection Impact Assessments – familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 19 Working Party, and work out how and when to implement them in your organisation
- Data Protection Officers – designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer
- International – If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this
All of this may seem daunting, especially if you are not computer or tech savvy. I am sure the stress of the heavy fine doesn’t put you at ease either, however a simple solution to this is to consult in an external IT company who are specialists in GDPR, such as Capital Network Solutions.
All our staff members are EU GDPR Foundation qualified, having undertaken GDPR training and passing a rigorous exam in early 2017.
The training and certification will allow us to confidently deliver expert advice and services to you. We can help ensure that your business is GDPR compliant through many services such as audits to check what information you have stored; gap analysis to identify current risks and areas of non-compliance with a detailed remediation plan; training for your employees, and consultancy for further security and compliance.