Prepare for the General Data Protection Regulations
The General Data Protection Regulations (GDPR) are coming into force mid 2018. Brexit has thrown some confusion on the matter; will the UK be following the GDPR or not? GDPR is an EU directive, however UK based businesses do need to prepare for it. The vote to leave the EU does not change this.
As GDPR rules are stricter than the existing Data Protection Act 1998 (DPA), changes to your data handling will need to be made. The Information Commissioner’s Office (ICO) have published 12 steps for companies to go through to ensure that they are prepared for the changes. Non-compliance to the GDPR will result in a fine, but this can be avoided. Our aim is to raise awareness of the changes and promote preparation. We will be looking at the first 2 steps in this article; in brief, the 12 steps are:
- Information you hold
- Communicating privacy information
- Individuals’ rights
- Subject access requests
- Legal basis for processing personal data
- Data breaches
- Data Protection by Design and Data Protection Impact Assessments
- Data Protection Officers
The regulations are changing, but who needs to know? The decision makers and key people in organisations should be aware of how the law is changing. They need to look at how the changes will impact the company, identifying areas that might incur compliance problems when GDPR is enforced.
The GDPR applies to the data controllers and the data processors; the controller says how and why personal data is processed, the processor acts on the controller’s behalf. Both the controller and the processor, under the GDPR, have obligations to fulfil making it key that they are aware of the changes, fully understand them and are primed for the change.
#2 Information You Hold
Every organisation subject to the GDPR needs to document the information they hold. This is good practice, and some organisations will already do this, but it really does become a necessity to ensure that you are adhering to GDPR. Conducting an information audit could be the first step to helping you comply with the GDPR’s accountability principle. Not only this, but there are many reasons that you could need to know what information you hold about an individual. With the ‘Right to be Forgotten’ being introduced, you need to know what information you hold in order to ensure that all the information is removed.
We will be discussing all the steps over the coming weeks.