Preparing for the General Data Protection Regulations Part II
More than a fifth of UK businesses don’t understand GDPR requirement; don’t let it be you. With the ICO confirming that the UK will need to adhere, this is the second article in the series to help you prepare for GDPR. We’ve been looking at the ICO’s 12 steps of preparation for the introduction of the GDPR in mid 2018.
- Information you hold
- Communicating privacy information
- Individuals’ rights
- Subject access requests
- Legal basis for processing personal data
- Data breaches
- Data Protection by Design and Data Protection Impact Assessments
- Data Protection Officers
#3 Communicating Privacy Information
Under the DPA you need to be able to provide information to the subjects as to how their personal data will be used. This is commonly done using a privacy notice. Under the GDPR you will still need to declare information, but changes have been made, and additional information needs to be provided. You will, for example, need to state your data retention periods, and explain your legal basis for processing the data.
The ICO is in the process of updating its privacy notices code of practice, and this will be published later this year. It is worth remembering that privacy information needs to be provided clearly and concisely, making it easy to understand.
#4 Individual’s Rights
The rights for individuals won’t so much change as be enhanced under the GDPR compared to the DPA. With many of the changes, if your company is already set up to fully comply with the DPA, the changeover will be relatively straight forward.
The main rights for individuals will be:
- Subject access,
- To have inaccuracies corrected,
- To have information erased,
- To prevent direct marketing,
- To prevent automated decision-making and profiling, and
- Data portability.
Look at how your procedures would stand up to the enhancements. Data portability is an enhancement, and isn’t covered under the current DPA. It is an enhanced form of subject access and dictates that data must be provided electronically and in a commonly used format. The necessary changes for compliance can be made now.
To be continued...