You’ve heard about GDPR, you know it’s coming into effect next year, and your GDPR plan is taking shape nicely? No, not quite there yet, well it’s time to move it up your ‘To Do’ list, as in under six months we’re all expected to be GDPR compliant.
There’s no question that GDPR is a step in the right direction in order to protect consumer data in today’s digital age, but if you’re still asking the question – does GDPR apply to my business then take a look at why it probably does, what is covered and how you can make sure your data is up to scratch as from 25 May 2018. Here’s the GDPR basics that you need to be looking at now.
Obviously key decisions makers need to be fully aware that the data protection law is changing. For larger companies GDPR will mean extra resources may be required in order to comply with GDPR. In smaller companies employees should know how this will impact their day to day duties and what measures they need to take when dealing with individuals’ data.
Perform A Data Audit
You can’t comply with GDPR until you know what data and information your organisation holds, so a good place to start is to take a look at what personal data you hold for individuals and employees, where it came from and who you share it with. A data audit will also help to comply with GDPR’s accountability principle, and demonstrate how you comply with data protection principles and that you have policies and procedures in place.
Update Your Privacy Notice
You should review your current privacy notices and make any necessary changes to ensure that when you collect personal data you give people certain information, such as your identity and how you intend to use their information. GDPR also states that you will have to tell people and explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the Information Commissioner’s Office (ICO). This is the UK’s independent body set up to uphold information rights. Privacy notices should also be concise, easy to understand using clear and plain language.
GDPR Consent Changes
This is the big one that everyone seems to realise, you should review how you seek, record and manage consent when obtaining and using personal data. Look at your current consents and see if they meet GDPR requirements. In brief, consent requires a positive opt-in and not pre-ticked boxes or any other method. It’s essential to specify why you want the data and what you’re going to do with it. It is also important to inform individuals they can withdraw their consent.
Understanding Individuals’ Rights
The rights of individuals under the GDPR incorporate those under the current Data Protection Act (DPA) but with some significant enhancements. It’s a good time to check procedures and work out for example how you would react if someone asks to have their personal data deleted.
Dealing With Subject Access Requests
Another review you should be undertaking to get ready for GDPR is how you handle requests in relation to the new rules. This is not a chargeable service unless the requests are unfounded or excessive and you will have a month to comply, rather than the current 40 days. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority within one month.
Do You Need To Appoint A Data Protection Officer?
For the majority of SMEs (under 250 employees), there’s no need to appoint a Data Protection Officer, this will apply to larger organisations for example, a public authority. In these cases, it is necessary to designate someone to take responsibility for data protection compliance within your organisation.
Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.