What is GDPR?
The General Data Protection Regulation (GDPR) is a directive by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU. It will also address the export of personal data outside the EU. Whist it is already law, it will not be enforced until 25th May 2018.
From that date all companies in the UK and throughout the EU have to comply with GDPR or face heavy fines, if found to be in non-compliance. Brexit will have no effect on it becoming law within the UK, as we have already agreed to the principle.
When GDPR comes into force, it will supersede the existing data protection laws that are current within the UK.
How will it effect Companies?
Form the 25th May 2018, business must comply with the regulations or face heavy fines: “Penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.”
How does a business comply?
There are twelve steps:
1. Awareness – organisations should be acting now to ensure they are GDPR compliant by 25th May 2018.
2. Information you hold – the GDPR requires organisations to maintain records of all processing activities and the legal bases for processing such data
3. Communicating privacy information – organisations should review their privacy notices and put a plan in place to make the necessary amendments to ensure GDPR compliance.
4. Individuals rights
–right to be informed.
–right of access.
–right to rectification.
–right to erasure.
–right to restrict processing.
–right to data portability.
–right to object; and
–right not to be subject to automated decision making and profiling.
5. Subject access requests – organisations should update policies and procedures in place to deal with subject access requests to ensure you can comply within the new one-month deadline.
6. Lawful basis for processing personal data – organisations must review the legal bases used for processing personal data to ensure this is still relevant and will be GDPR compliant.
7. Consent – Consent requires a positive opt-in from the individual whose data is being held and/or processed.
8. Children – under the GDPR, for the first time, children’s personal data will be specially protected.
9. Data breaches – in certain circumstances organisations will only have 72 hours from discovery of a breach to notify the relevant data protection authority of the breach.
10. Data protection by design and data protection impact assessments – (PIA’s) will be required where processing is likely to result in high risk to individuals, e.g. where rolling out new technology.
11. Data Protection Officers (DPO’s) – organisations should evaluate whether they require to appoint a DPO under the GDPR.
12. International – where your organisation operates in more than one member state, you should identify the lead supervisory authority.
The above is simply an outline of the steps required to meet with GDPR compliance, for further advice and guidance with the detailed steps required to implement GDPR, please contact ITP who can provide the skilled practitioners necessary for a successful implementation of GDPR.