In a matter of days, data protection rules across Europe will finally undergo its biggest change in the last two decades
From May 25, 2018, GDPR (General Data Protection Regulation) will be enforced by data protection regulators across Europe. The change brings outdated personal data rules up to speed with an increasingly digital era.
What is GDPR?
The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 Data Protection directive which current UK law is based upon.
Is my business affected by GDPR?
Essentially all Individuals, organisations, and companies that are either controllers or processors of personal data will be covered by the GDPR. If you are currently subject to the Data Protection Act (DPA) then you will be subject to GDPR.
How do I prepare for GDPR?
Once implemented, GDPR will have a varying impact on businesses and organisations.To help prepare for the start of GDPR, the ICO has created a 12-step guide, which can be found here:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
The 12 key steps in summary
- Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. - Information you hold
You should document what personal data you hold, where it came from and who you share it with. - Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation - Individual’s rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format - Subject access requirements
You should update your procedures and plan how you will handle requests to take account of the new rules: - Lawful basis processing data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. for - Consent
You should review how you seek, record and manage consent and whether you need to make any changes - Children
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity - Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. - Data Protection by Design and Data Protection
Impact Assessments It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) - Data Protection officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. - International
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
Further information
The IPO’s website has a wealth of information:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
EU GPDR information can be found here:
If you are want to find out more about potential fines for non-compliance, then the IT Governance website has some good information