GDPR is certainly an important topic of conversation which shouldn’t be ignored. The new data regulations could result in tougher fines so now’s the time to get to grips with the GDPR. This blog post covers what it is, how it differs from the Data Protection Act, why you should pay attention and the first steps you can take towards being compliant.
What is the GDPR?
GDPR stands for the General Data Protection Regulation and it relates to the rights of data subjects and making them aware of those rights. The main principles of the GDPR include:
- Processing data lawfully, fairly and transparently in relation to the data subject.
- Only using data for specified and legitimate purposes.
- Adequately but not excessively using data for those purposes.
- Promptly erasing or rectifying accurate and inaccurate data.
- Storing data for no longer than necessary.
- Protecting against unauthorised access or accidental loss or damage.
With the new regulations, you now need to ensure that you tell people about how you use their data, be ready to help data subjects enforce their rights and be aware of who is helping you with your data. More specifically, this means that you’ll have to tell people:
- Who the Data Controller is – your business name and address
- The purpose and legal basis that the data will be used for – share how you will use the data
- Types of data recipients – mention any third party storage providers
- Rights under the GDPR – inform your data subjects of their right to see any data you hold on them
GDPR is a European Law which will remain as UK legislation post-Brexit and most importantly, it comes into effect on the 25th May 2018 so don’t panic, you still have time to put preparations in place.
Data Protection Act vs GDPR
In the Data Protection Act 1998, data subjects have a number of rights and Data Controllers are responsible for acting in accordance with those rights. Data Controllers are not “at fault” until a data breach occurs.
On the other hand, the GDPR gives Data Controllers more responsibilities including advising data subjects of their rights, providing individuals with information relating to those rights and taking all appropriate steps to prevent a data breach from taking place.
The Data Protection Act 1998 will be superseded with the new regulations and ultimately, the key takeaway is that the GDPR gives people more control over what companies can do with their data and will result in more-costly fines for data breaches and non-compliance.
Why should you pay attention to the GDPR?
The GDPR is binding on anyone processing Personal Identifiable Information (PII) in the course of their business, which will apply to the majority of businesses.
It’s time to take action
To get you on your way to being GDPR compliant, take a look at this list of actionable steps to put you on the right path.
1. Conduct an internal review
Are there people within your organisation who need to know about the GDPR? Ensure that everyone in your business is aware of what the GDPR is and how it will impact them.
2. Identify all the Personal Identifiable Information (PII) you control and process.
List when you are the Data Controller and/or a Data Processor and document what data you hold, where the data comes from and who you share it with.
3. Check where all data is sent and stored geographically
If your business carries out cross-border processing, you should determine your lead data protection supervisory authority. You also need to ensure your contracts with Data Processors are GDPR compliant. It’s your responsibility to ensure they meet the regulation requirements.
4. Review your Security policies
Take a look over your policies and practices to ensure they comply with the new regulations and make sure you have the right procedures in place to deal with a data breach.
5. Prepare notices for each area of data
Do your current privacy notices explain how and why you’re using the subject’s data? When the GDPR comes into effect, you’ll be expected to have the appropriate notices in place.
6. Document the lawful basis for processing personal data
7. Cover individuals’ rights
Individuals have many rights including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object and rights related to automated decision making. Do your procedures cover all of these rights?
It’s likely that there’s much more you’ll need to do to be 100% compliant by May but hopefully these 7 steps will help get you started.
Finally, our main piece of advice is to document your plans and processes because they should be taken into account in the event of a data breach.
We hope you’ve found this blog useful for getting to grips with the GDPR. If you’re interested in learning more about the GDPR, register your interest for further educational content.