The GDPR is the EU General Data Protection Regulation which will replace the Data Protection Act 1998 in the UK and the equivalent legislation across the EU Member States.
The Data Protection Act 1998 implements the EU Data Protective Directive 1995, however given that they came into force during 1990s, when there was no social media or cloud computing, they are extremely out of date.
The GDPR comes in to force on 25 May 2018 so here are some simple steps to help your company prepare:
- AWARENESS – Make sure that the decision makers and key people in your organisation are aware that the law is changing to the GDPR.
- INFORMATION YOU HOLD – Document what personal data you hold, where it came from and who you share it with.
- COMMUNICATING PRIVACY INFORMATION – You should review your current privacy notices and put a plan in place for necessary changes.
- INDIVIDUALS RIGHTS – Check procedures to ensure they cover all the rights including how you delete personal data and provide data electronically.
- SUBJECT ACCESS REQUESTS – Update your procedures and plan how you will handle requests with the new timescales.
- LAWFUL BASIS FOR PERSONAL DATA – Identify the lawful basis for your processing activity, document it, and explain it in your privacy notice.
- CONSENT – Review how you seek, record any damage consent.
- CHILDREN – Put a process in place for the verification of individuals of varying ages, do you need parental or guardian consent?
- DATA BREACHES – Have procedures in place to detect, report, and investigate personal data breaches.
- DATA PROTECTION – Familiarize yourself with the codes of practise.
- DATA PROTECTION OFFICERS – Designate someone to take responsibility for data protection compliance and assess where this role sits in your organisation.
- INTERNATIONAL – Determine your lead data protection supervisory authority if you operate in more than one E member state.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
Key changes are as follows:-
- Higher fines – fines of up to 4% of turnover or €20,000,000 (whichever is highest) for a breach of GDPR.
- Mandatory Notification – mandatory reporting of all breaches of data protection that could result in risk to individuals.
- Sensitive personal data – stricter rules apply to the processing of personal data such as medical information.
- Consent – Obtaining consent will be harder, silence or inactivity will not constitute consent, it must be clear, freely given and also easy to get out of.
- Additional rights – new rights to transfer your data from one service provider to another.
- Data Protection Officer – You must appoint a Data protection Officer.
Whilst these changes may seem a huge burden, the direct implementation of GDPR will make all EU countries much more uniform in their approach to data protection. With a little forward planning, this doesn’t need to be a stressful time.