If you haven’t already thought about planning for the upcoming General Data Protection Regulation (GDPR) changes, you need to act sooner rather than later.
This post acts as a guide of what is covered in the GDPR changes, but for more information and guidance, please visit the Information Commissioner’s Office (ICO) website, and the area on ‘Preparing for data protection reform’.
WHAT IS THE GDPR?
The EU GDPR is the most important change in data privacy regulation in more than 20 years.
The GDPR will apply in the UK from 25th May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR, or how it is policed.
WHAT DOES THE GDPR COVER?
Any information or data related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Failure to comply to the new regulations could mean fines of up to €20m or 4% of a companies global turnover.
WHERE DO YOU START WITH GDPR?
Here are a few areas that you’ll need to look at, to ensure your business and brand are ready for the changes. As above, always double check with the ICO’s data protection reform website.
CONSENT
In obtaining consent for data use, it has to be explicit. No more indecipherable terms and conditions filled with legal jargon. If you can’t prove explicit consent for the data you hold, then you won’t be able to use it.
Many clients are already running re-configuring check boxes for opt-in campaigns related to email, competitions and more. Are you up to scratch?
BREACH NOTIFICATION
Cyber crime is on the up. Companies are being hacked left, right and centre, from the NHS and Yahoo!, to LinkedIn and Debenhams, it seems no company is safe, regardless of size. In the event of a data breach, data processors have to notify their controllers and customers
of any risk within 72 hours. Are you able or ready to do this?
RIGHT TO ACCESS
Data subjects and people that consent to giving you their data have the right to obtain confirmation from the data controller whether their personal data is being processed. The
data controller should provide an electronic copy of personal data for free to data subjects. Do you have the tools in place to provide this quickly, and log all the requests?
RIGHT TO BE FORGOTTEN
For those of you familiar with the policy that Google rolled out a few years ago, this ‘right to be forgotten’ policy has picked up steam, and now takes pride of place in the new GDPR regulation. For GDPR purposes, when data is no longer relevant to its original purpose, data subjects can have you (the data controller) erase their personal data and cease its dissemination.
DATA PORTABILITY
Put simply, any data stored on a data subject or person can be moved around across safe data environments. This rule allows individuals to obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
PRIVACY BY DESIGN
After the new GDPR regulation comes into force, you’ll need to make sure you include GDPR data protection needs into any company systems, CRM tools, apps, websites, email providers and any tools or mechanics that use data or collect data.
DATA PROTECTION OFFICERS
If you are a public authority or engage in large scale monitoring and processing of sensitive personal data (>250 employees), you must appoint a professionally qualified data protection officer. This could mean internal training is required, or you’ll need to hire someone with the right qualifications.
If you are in any doubt about any of the areas above, then we suggest you seek advice and start acting now to ensure GDPR compliance before May 2018 comes around.