A new data privacy law, the General Data Protection Regulation (GDPR), comes into force in May 2018, overhauling current data protection legislation.
The General Data Protection Regulation (GDPR) will replace the current Data Protection system and has been designed to harmonise data privacy laws across Europe, protecting all EU citizen data privacy and to restructure and reform the way organisations across the region approach and safeguard data privacy. If you handle EU citizen data, you will need to show compliance to the new regulation, ideally by having someone in your business responsible for data protection and ensuring you gain customers’ consent before using their data, using the ‘opt in’ system rather than the current ‘opt out’ mechanism.
If you do not comply with GDPR by the time it is enforced, you can be subject to a hefty fine. It is imperative your business is prepared. Here are 12 steps to help you get ready for one of the biggest changes in data regulation:
1. Ensure key people within your business are aware of the impact this is likely to have. 2. Document the information you should hold, where it came from and how you used it. Create an information audit if you need to. 3. Communicate your privacy notices and update if necessary in readiness for the implementation of GDPR. 4. Check your procedures to cover the rights of individual’s data, including how you delete records and how you transmit data. 5. Plan who has access to data records and who has the ability to amend and update records when required. 6. Confirm the legal basis you have for using the data you hold and document it. 7. Review the way you obtain data with particular regards to obtaining and recording consent to use it from the individual. 8. Plan how you verify ages of individuals when data gathering to ensure if dealing with minors parental/ guardian consent is obtained and recorded. 9. Ensure you have procedures in place to detect, investigate, and report a personal data breach. 10. Use the guidance of Privacy Impact Assessments to understand how to implement them within your business. 11. Designate a Data Protection Officer, if necessary. This must be a responsible person as the role should sit within your company governance arrangements. 12. If you deal internationally, you will need to determine which data protection supervisory authority you come under.
You will also need to have an action plan in case of a data breach. This will involve notifying customers and reporting the incident to the Information Commissioner’s Office (ICO) within 72 hours.
Do not hesitate to contact a member of the team if you require further information.