Preparing your Business for the GDPR

The General Data Protection Regulation (GDPR) is a new piece of EU regulation intended to strengthen and unify data protection. It introduces new requirements for those processing personal data, as well as tougher penalties for data breaches.

Any business which controls or processes personal data needs to be aware of the changes and prepare before it replaces current data laws.

Similar to the Data Protection Act (DPA), the GDPR places significantly more legal liability on those maintaining records of personal data and processing activities if they are responsible for a breach.

The law will apply in the UK from 25 May 2018. It will be implemented here despite Britain’s exit from the EU, as we will not have departed by the time it applies, and any future policies may well be based on it.

A snapshot of the changes:

  • Maximum fines for serious breaches could rise to as much as €20m or 4% of annual turnover, whichever is greater
  • A requirement to report data breaches to the ICO within 72 hours
  • A wider definition of personal data to reflect evolving technology
  • Mandatory appointment of a Data Protection Officer

The Information Commissioner’s Office recommends 12 steps your business can take now…

  1. Awareness
    Make sure key decision makers in your organisation are aware of the changing law
  1. Information you hold
    Document what personal data you hold, where it came from and who it is shared with
  1. Communicating privacy information
    Review your current privacy notes and plan a timeframe to make any necessary changes
  1. Individuals’ rights
    Check your procedures to ensure they cover all the rights individuals have, e.g. how you would delete personal data or provide data electronically
  1. Subject access requests
    Plan how you will handle requests within the new timescales
  1. Legal basis for processing personal data
    Identify your legal basis for carrying out any data processing you do
  1. Consent
    Review how you currently seek, obtain and record consent
  1. Children
    Think about putting systems in place to verify individuals’ ages and gather parental/guardian consent for data processing
  1. Data breaches
    Make sure all staff are aware of the correct procedures to detect, report and investigate a data breach
  1. Data Protection by Design and Data Protection Impact Assessments
    Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments