The General Data Protection Regulation (GDPR) is a new piece of EU regulation intended to strengthen and unify data protection. It introduces new requirements for those processing personal data, as well as tougher penalties for data breaches.
Any business which controls or processes personal data needs to be aware of the changes and prepare before it replaces current data laws.
Similar to the Data Protection Act (DPA), the GDPR places significantly more legal liability on those maintaining records of personal data and processing activities if they are responsible for a breach.
The law will apply in the UK from 25 May 2018. It will be implemented here despite Britain’s exit from the EU, as we will not have departed by the time it applies, and any future policies may well be based on it.
A snapshot of the changes:
- Maximum fines for serious breaches could rise to as much as €20m or 4% of annual turnover, whichever is greater
- A requirement to report data breaches to the ICO within 72 hours
- A wider definition of personal data to reflect evolving technology
- Mandatory appointment of a Data Protection Officer
The Information Commissioner’s Office recommends 12 steps your business can take now…
Make sure key decision makers in your organisation are aware of the changing law
- Information you hold
Document what personal data you hold, where it came from and who it is shared with
- Communicating privacy information
Review your current privacy notes and plan a timeframe to make any necessary changes
- Individuals’ rights
Check your procedures to ensure they cover all the rights individuals have, e.g. how you would delete personal data or provide data electronically
- Subject access requests
Plan how you will handle requests within the new timescales
- Legal basis for processing personal data
Identify your legal basis for carrying out any data processing you do
Review how you currently seek, obtain and record consent
Think about putting systems in place to verify individuals’ ages and gather parental/guardian consent for data processing
- Data breaches
Make sure all staff are aware of the correct procedures to detect, report and investigate a data breach
- Data Protection by Design and Data Protection Impact Assessments
Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments