General Data Protection Regulation (GDPR) is currently a hot topic, and with the new regulation applying from 25 May 2018, it’s just around the corner. Getting your head around the topic can be tricky, so with this in mind, we’ve gathered some key information on the subject. If you’re wondering about GDPR and the measures you’ll need to take to comply, read on.
What is GDPR?
In a nutshell, GDPR is the new data protection law which will supersede the current 1998 UK Data Protection Act. It gives individuals more say over how companies use their data and introduces tougher fines for non-compliance and breaches.
The Information Commissioners Office (ICO) website is a good starting point for all things GDPR and for providing specific information on data compliance. Make sure you check out the ICO resources and checklist.
Who does it apply to?
GDPR will apply to businesses who handle personal data, meaning any data which can be used to identify an individual.
GDPR applies to ‘controllers’ and ‘processors’ which in GDPR terminology means:
- Data processor – the person who carries out the data processing
- Data controller – the person who determines how personal data will be processed
It’s likely that your business is both a data controller and processor.
How will it affect me?
Once GDPR comes into place, personal data will be required to be processed in accordance with 6 basic principles. Summarising these principles, data must be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and up to date
- Kept in a form which permits the identification of data subjects for no longer than necessary
- Processed with appropriate security measures
The ICO could issue hefty penalties to those involved in a data breach and companies are far more liable under GDPR than they were under the Data Protection Act.
What do I need to do before 25 May?
The ICO have outlined 12 recommended steps businesses should take before GDPR comes into place in May. Here’s a quick summary of the steps but remember to take a look at the ICO Preparing for GDPR 12 Steps Guide for more information.
1. Awareness – Ensure your organisation are aware that the law is changing to the GDPR.
2. Information you hold – Document what personal data your business holds, where it has come from and who it is shared with. This could come in the form of customer email addresses which are used for marketing campaigns, or employee records.
3. Communicating privacy information - Review your privacy notices (both internal and public) and put a plan in place for making any necessary changes before GDPR comes into force. Under GDPR, businesses will need to provide additional information, such as data retention periods. Check out the ICO’s Privacy notices code of practice to fully understand the new GDPR requirements and update your privacy notices to include:
- Your businesses identity
- How you intend to use personal data
- The lawful basis for each processing activity (such as consent or a contractual arrangement)
- Data retention periods
- That the data subject may complain to the ICO
4. Individuals’ rights – Check your procedures to ensure they cover the new rights people have under GDPR, including:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling
5. Subject access requests – An individual is entitled to contact you requesting any personal data you hold on them, what you’re doing with it and who you share it with. Update your procedures and plan how you will handle requests to take account of the new rules. More information is available from the ICO on Subject access requests.
6. Lawful basis for processing data - Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent - Review how you seek, record and manage consent and whether you need to make any changes. Read the ICO’s detailed guidance on consent. Under GDPR, consent must be active rather than passive – so no more pre-ticked boxes!
8. Children – Review whether systems need to be put in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches - Make sure you have the right procedures in place to detect, report and investigate a personal data breach. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.
10. Data Protection by Design and Data Protection Impact Assessments – The GDPR makes privacy by design an express legal requirement, and Data Protection Impact Assessments (DPIAs) mandatory for any processing that is considered high risk. Check out the ICO Protection Impact Assessment Code of Practice for more information.
11. Data Protection Officers - Designate someone to take responsibility for data protection compliance.
12. International - If your organisation processes data in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
By carrying out these steps your business should be good to go, before GDPR arrives on 25 May 2018! If you have any questions or would like to discuss ways that SONDR™ can help you prepare for GDPR, then contact us on firstname.lastname@example.org.