The General Data Protection Regulation (GDPR) comes into force in a little over a year from now, May 25th 2018, with new compliance regulations concerning the protection of personal data.
Essentially an update on regulations already in place under the data protection act, the GDPR is being transposed into law across all member states of the European Union (EU). And, despite the triggering of Article 50, and the withdrawal of the UK from the EU, this is still a directive that UK companies will need to adhere to; as Britain will remain under full EU law until the separation is complete (so, at least another 2 years).
So, how ready for the changes are you?
OK, so May 2018 sounds like a date in the distant future, but time doesn’t stand still, and with compliance mandatory, getting yourself prepared in advance and ahead of any last minute panic is most certainly advised.
So here we outline a short and handy checklist that you can use to help with your GDPR preparations.1.Ensure everyone is ‘in the know’
The change is coming, and the new regulations WILL be coming into effect. You know this, we know this. But does everyone in your organisation know it? Ignorance is not a defence so you need to ensure everyone who needs to know about the GDPR, does know.
2. Accuracy of Information
Under the new law, businesses need to inform organisation with whom they’ve shared personal data, of any mistakes, inaccuracies, or out of date information. This may necessitate a full audit of currently held data, to ascertain its accuracy, and any trail of sharing that may exist. A full record to demonstrate compliance needs to be kept for transparency.
Check all your privacy notices to ensure that they will be in compliance with the new regulations. Ensure that all the correct added information is being disclosed when personal data is being shared
4.Increased Access Rights
GDPR is going to increase the access rights that individuals have to any personal data that organisations hold on them. From legal access to this data to the prevention of direct marketing and profiling, and even the deletion of data will be applicable under the new law. Your policies and procedures must be amended to reflect these changes.
The new regulations stipulate that all consent for access to data must be given freely and without any stipulation or ambiguity. Check your existing policies when it comes to consent issues, amending accordingly to meet with compliance.
The GDPR will increase the responsibility on companies and organisations to notify the Information Commissioner's Office (ICO) of any breaches in personal data. Similarly, stricter obligations will be placed upon companies to guard against data breaches, including security, early detection, and recovery procedures. Checking diligence in online security, and data storage is essential ahead of the changes.
If personal data has been hacked from an organisation’s system, then the organisation has an obligation to inform the individual of this occurrence. This should be reflected in your terms of service to comply with the new regulations.
8.Data Protection Officers
You need to have in place a designated Data Protection Officer for your organisation. This can be an in-house or external body.
As noted above, GDPR will be upon us in May 2018. It’s really not that far away and the penalties for non-compliance have the potential to hit the pocket and the reputation. The time to act, and get ready for the changes has arrived.