GDPR stands for the General Data Protection Regulation, which is the new data protection regime being rolled out across the EU. What this actually means is that the way in which organisations process personal data needs to be reviewed in line with the new requirements under the GDPR.
The GDPR will directly apply to all Members States in the EU from 25 May 2018 and the UK Government has now announced arrangements for publication of the new UK Data Protection Bill to give effect to the GDPR and replace the Data Protection Act 1998 (the DPA).
How will GDPR affect me?
The GDPR will have implications for any business or organisation which is a 'data controller' in terms of the DPA and it will affect the way in which they operate and manage the personal data they hold.
Some of the key changes introduced by the GDPR are:
- new reporting obligations for certain data breaches to the Information Commissioner’s Office (ICO) within 72 hours and to affected individuals without undue delay;
- a clear legal basis for processing personal data
- clear consent being required in restricted circumstances in order to process an individual’s personal data – for example, individuals will need to “opt-in” to receive marketing communications;
- new and enhanced rights of individuals to access their personal data, have their personal data amended or deleted, restrict the processing of their personal data and object to the processing of their personal data; and
- an increase in the level of fines for breaches (as much as 4% of turnover).
Get ready for GDPR – our Top 10 Tips
We would recommend that you start preparing now as the GDPR will have direct effect in the UK from 25 May 2018, even if the new UK Data Protection Bill has not received Royal Assent by then.
Here are our Top 10 Tips to get ready for the GDPR:
- Undertake data protection audit – identifying the categories of personal data that you process, why you processes this personal data and what you do with this personal data is a key starting point in order to understand the extent of the GDPR’s impact on you. The audit should also be used to identify any shortcomings early and allow you to put in place measures or policies so you are compliant when the GDPR applies.
- Ensure 100% compliance with the DPA – the GDPR goes further than the DPA so, as a minimum, you should ensure that you comply with the DPA in full. This includes things like adhering to the 8 principles set out in the DPA; identifying the personal data you hold, particularly any sensitive personal data; and ensuring any personal data is not disclosed in breach of the DPA.
- Roll out DP training – anyone in your organisation who has access to or handles personal data should be able to identify that it is personal data and be aware of the basic principles which govern their activities.
- Review existing forms, correspondence, websites, DP statements – the GDPR sets down new requirements for consents and fair processing notices. You will need to check that your current wording complies.
- Establish an accountability framework – there are onerous accountability obligations on data controllers under the GDPR, including: maintaining specific documentation and conducting a data protection impact assessment before undertaking any risky processing (e.g. profiling via wearable technology). You will need to adopt policies and implement measures to demonstrate compliance.
- Adopt higher standards of data security – the GDPR requires data controllers to undertake a risk assessment for all the data they hold.
- Implement a DP breach management policy – there will be a new requirement to notify the ICO of certain breaches within 72 hours.
- Be prepared for data subjects to exercise their rights – appropriate procedures for handling subject access requests should be put in place before 2018 as the length of time data controllers will have to respond is reduced from 40 days under the DPA to within one month or without “undue delay” under the GDPR.
- Consider cyber insurance – with added responsibility and liability, cyber insurance should be considered for organisations processing personal data electronically – i.e. website fundraising, social media activities, etc.
- Don’t wait until 2018 – it’s not worth being fined – don’t wait until it’s too late!
Get in touch
If you would like to find out more about how we could assist your organisation in relation to GDPR, please get in touch: