Save the date! On the 25th May 2018 the General Data Protection Regulation (GDPR) comes in to force.
The new regulations provide individuals with significantly more rights and powers over how their data is used and consumed.
With less than a year before the GDPR regulations come into place, here are 7 steps your business can take today:
1. Make sure all stakeholders are aware of GDPR
The ICO’s website is a good place to start.
2. Document the data you currently have
You need to ask your business what, where, why and how questions… What personal data (if any) does your business currently hold? Where did it come from? Who is it shared with? How is this personal data processed? Is data printed? And how is the data filed?
3. Ensure you review the lawful basis for processing personal data
You need to identify and justify why you are processing personal data considering the rights of the individual. Individual’s now have greater control, can request what personal data is held and ask for their personal details to be deleted. Your organisation should review how data access requests will be managed.
4. Review how consent is obtained
Review your existing methodology for gaining consent for personal data. How it is sought? Recorded? Managed? What are the ages of individuals? GDPR has tightened the need to obtain consent where personal information has been taken. Consider what your privacy notices currently state and what they need to say to be GDPR compliant. Systems need to be in place to verify ages and obtain the correct level of parental consent for any personal data activity.
5. Utilise Privacy Impact Assessments
Privacy Impact Assessment are tools that help to identify and reduce the privacy risks of your projects. The core principles can be embedded within existing project and risk management policies.
6. Assign a data protection officer to take responsibility for GDPR compliance
Article 37 outlines the requirement to assign a data protection officer: in public authorities; in organisations where the core activities consist of processing operations which require systematic monitoring of data on a large scale; in special categories of data or data relating to criminal convictions or offences. This role should sit within your business’s governance structure.
7. Be ready and able to notify a breach in 72 hours
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority and in some cases to the individuals affected. Make sure that staff understand what constitutes a data breach and that this is more than a loss of personal data. Ensure an internal breach reporting procedure is in place to facilitate decision-making to notify the relevant authority.
Even with Brexit the importance of GDPR cannot be overstated. On the 25 May 2018 the UK will still be part of EU and will therefore still be an EU member country. GDPR is now on the horizon. Organisations that do not prepare for the new regulations may face staggering fines that can seriously dent profits. Act today.