Four letters that you’re inevitably hearing a lot of lately… but what does GDPR mean and how will it affect your business?
The General Data Protection Regulation (GDPR) will become law on 25th May 2018 and will affect all businesses across the UK and Europe.
With the use of expressions like ‘dramatic’ and ‘radical changes’ being used as part of the GDPR dialogue, you can be forgiven for considering it an intimidating subject.
However, in simple terms, it’s an evolution of the existing Data Protection Act (in harmony with the EU), with some additional requirements applied to storage of personal data, rights of access and data removal.
Are you ready and able?
Whilst the above is a very simplistic explanation and not to be taken lightly, as a business owner you need to ensure you’re ready and able to follow the regulations – or face a possible fine of up to
20 million Euros (circa £17.8m) or 4% of your annual turnover.
The core rules of the Data Protection Act, remain. So, ‘what’s changing?’
GDPR is a complex subject that we’re all still getting our heads around. However, my understanding is that the key changes relate to consent, subject access requests and automated decision-making. Fundamentally, the GDPR will require employers to obtain an increased level of consent from individuals for their personal data to be processed and stored – both automatically and manually.
The parameters around the provision of consent must also be very clear. For example, individuals must give consent freely, for specific intent and informed as such. The purpose for requesting consent must, in no way, be ambiguous and individuals providing their consent must also be able to withdraw it, easily. As business owners, we also need to ensure that we clearly communicate that personal data will not be processed if we don’t receive consent.
First off, let me be clear, I’m also wading through the mountains of information on the subject but there is one point I would advise, and that is:
Start preparing for the changes now!
The sooner the new legislation is understood and implemented, the easier the transition in May.
There are many summits, websites, white papers and emails providing information on the GDPR and I’d encourage you to research the subject for yourself. However, I believe that these ‘12 steps to take now’ from the Information Commissioner’s Office (ICO) provide a great summary of what we should all be considering:
- Awareness: You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
- Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent: You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Children: You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
- International: If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
(Source: Information Commissioner’s Office: ico.org.uk)
GDPR may be four little letters but those letters have big consequences if not adhered to so ‘research, understand and implement’.
For more information, contact Abigail Dixon at Labyrinth Marketing on 07855 840844.
Keep up to date with our views and opinions as well as the latest events we’re involved in. Sign up to our newsletter>