The General Data Protection Regulation (GDPR) will come into effect from May 2018, replacing the existing data protection framework. This legislation will govern the privacy practices of any company handling EU citizens’ data, regardless of whether the company is in the EU. Here’s our guide to help you understand what it means to your business. It’s essential that all organisations involved in data processing make themselves aware of this new regulation. The aim is to emphasise transparency, security and accountability by data controllers and processors while standardising and strengthening the right of European Citizens to data privacy. The GDPR gives data protection authorities more power to tackle non-compliance, including the issuing of fines of up to €20,000,000. It will also make it easier for private claims to be made against data controllers. How can companies prepare for GDPR? Make sure you fully understand the following points – print it out for reference and work through each step to ensure your complete compliance...
- Become aware – review your organisation's risk management processes. Identify areas that could cause compliance problems.
- Become accountable – make an inventory of the personal data you hold. Why do you hold it? Do you need it? Is it safe?
- Communicate with staff and service users – review data privacy notices and make sure you keep service users fully informed about how you use data.
- Personal privacy rights – ensure your procedures cover all the rights that individuals are entitled to.
- Access request changes – plan how you will handle requests within the new timescales.
- Legal basis – look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- Customer consent as grounds to process data – review how you seek, obtain and record consent and whether changes will now need to be made.
- Processing children’s data – do you have systems in place to verify ages and gather consent from guardians?
- Data breaches – are you aware that it’s mandatory to report a breach? Make sure you have procedures in place to detect, report and investigate.
- Data Protection Impact Assessments (DPIA) – data privacy needs to be at the heart of all future projects.
- Data Protection Officers – consider whether you will be required to designate a DPO.
International organisations – map out where your organisation makes its most significant decisions about data processing, and determine your main establishment and Lead Supervisory Authority. If you have any questions regarding the issues in this article, please don’t hesitate to contact our 24 Hour Advice Service on 01 855 50 50