Is your business ready for the GDPR?
GDPR is the Guide to General Data Protection Regulation and it applies to all controllers or processes of data. In May, Europe's data protection rules will undergo their largest overhaul in 20 years. It is end of April now, but still, plenty of confusion remains. To help clear things up, here's some guides to the GDPR.
WHEN DOES THE NEW REGULATION START? May 25, 2018
WHO WILL ENFORCE IT IN THE UK? The Information Commissioner's Office
WHAT'S NEW? There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines
DOES BREXIT MATTER? The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same
THE GUIDE TO DATA PROTECTION REGULATION
What is GDPR
GDPR is the Guide to General Data Protection Regulation and it applies to all controllers or processes of data. Essentially this means that if you use, handle or have access to others personal data you need to ensure that your policies are GDPR compliant. The general intention of GDPR is to set out guidelines that make it easier for citizens to have transparency about how their data is being used and what it is being used for.
Why am I collecting this data?
Transparency is key when it comes to compliance. This means that you need to ensure that the person who you are collecting data from, knows what you intend on doing with it. If, for example, you require an email to download a price list but after sending that price list you intend on sending them monthly email newsletters, you must ensure you have an opt-in process in place rather than an opt-out. Data subject access requests have changed too. Companies now cannot charge for complying with a request unless the request is ‘manifestly unfounded or excessive’. The time that you have to comply with a request has been reduced to 30 days, with a possibility of an extension if the company has received a particularly complex request.
Is it necessary to collect this data?
If you are collecting data or have data stored from previous interactions, then you must have a legitimate reason for storing it. If an individual requests that you delete their data and you can not provide them with a legitimate reason, then under article 17 the right to be forgotten, your business must respond and delete with “undue delay”.
Data collected before May 25th 2018 on 'broad-based consent' or data that's been collected in a way that would not satisfy the new requirements of GDPR will be classed as 'Historical Data'. The Processing of 'Historical Data' will no longer be lawful after the 25th and there will be no exceptions or 'Grandfather Provisions'.
Where/ how will I store the data so that it is secure?
Once you have gathered data and the client has opted into hearing from you, you need to ensure that their data is protected. The recommended way to do this is to keep your data in encrypted files. Audit logs will also be a key component in your data protection and troubleshooting of the security of your files.
HOW TO PREPARE YOUR BUSINESS FOR GDPR?
When implemented, GDPR will have a varying impact on businesses and organisations: for instance, not every company will require a data protection officer. To help prepare for the start of GDPR, the ICO has created a 12-step guide.
Please click to download the GDPR 12-step guide brochure below or view the web link: