The EU General Data Protection Regulation (GDPR) will come into force across all members states (including the UK) on 25 May 2018.
What is GDPR?
The GDPR was approved by the European Parliament in April 2016 and will replace the 1995 data protection directive. GDPR intends to strengthen and harmonise data protection for all EU individuals and applies to any company that holds information about an EU citizen, which means it can impact companies globally.
As the EU is the UK’s largest trading zone the UK will still be expected to adopt the GDPR, or something very like it, regardless of the eventual deal reached by UK Government as part of Brexit negotiations. Therefore, it is vital that all UK businesses start to prepare for the changes that are coming. Especially as non-compliance can lead to hefty penalties of up to €20m or 4% of a company’s turnover, whichever is greater.
What can you do now to prepare?
The additional compliance requirements may be viewed as a burden, even costly and disruptive. However, regardless of size, businesses should also view GDPR as a great new opportunity to enhance their information security practice from technical, governance and legal perspectives.
To help prepare for GDPR, here are 12 steps that the Information Commissioner’s Office advises that you take now:
- Awareness – Make sure that senior management and key people in your organisation are aware that the law is changing and the impact GDPR will have on your business.
- Information you hold – Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information – Review your current privacy notices and put a plan in place for making any necessary changes ahead of GDPR implementation.
- Individual’s rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests – Update your procedures and plan how you will handle requests within the new timescales.
- Legal basis for processing data – Review the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- Consent – Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
- Children – Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- Data breaches – Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Privacy by design and impact assessments – Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
- Data Protection Officers – Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
- International – If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
For further advice on GDPR and the impact that this will have on your organisation, contact firstname.lastname@example.org.