The GDPR is the new framework for data protection law that comes into place on May 25, 2018. It will be enforced in the UK by The Information Commissioner’s Office and will replace the 1995 data protection directive that is currently in place. The aim of the new legislation is to bring all the data privacy laws across the EU into harmony with one another. Greater protection and rights will also be provided to individuals as a result of the GDPR.
Businesses have had since May 2016 to prepare for the new regulation that gives people the right to access information that companies hold about them. There are new obligations for improved data management that businesses need to know and follow, along with new fines for those that don’t follow the legislation. There has been some confusion as to whether Brexit will stop GPDR. Please note that the UK will be implementing a new Data Protection Bill but it will be made up largely of the provisions that are in the GDPR. Therefore, it is important to be prepared as the UK law will be very similar.
There is plenty of information out there that will help you with the transition in time for May 25, 2018. Here are a few resources to bookmark:
12 Ways to Prepare for the General Data Protection Regulation
We do hope that your preparations are already underway. Here is a list of 12 steps to complete or to use as a checklist for your business, as prepared by the Information Commissioner’s Office.
1. Make sure all decision-makers in the business are aware of the GDPR and the impact it will have on the business.
2. Create a document that details all the personal data that your business holds. The information should include where the data comes from and who it is shared with.
3. Review the current privacy notices that you have and plan the necessary changes that are required to be implemented by May 25, 2018.
4. Check that all procedures cover the rights of the individuals and include information about how personal data will be deleted, how data will be provided electronically and the formatting.
5. Procedures and plans will need updating to include how requests will be handled along with any additional information.
6. Document the lawful basis for your process activity and update the privacy notice to explain this information.
7. Audit how you obtain, record and manage consent and make changes if they are not compliant with the GDPR standard.
8. Decide if it’s necessary to verify the age of individuals and if it’s necessary to obtain parental consent for the data processing.
9. Set up procedures to detect, investigate and report personal data breaches.
10. Read Article 29 data protection and decide when to implement them into your business.
11. Give someone the responsibility for data compliance in your organisation and decide if it’s necessary to designate a Data Protection Officer.
12. If you operate internationally you will need to determine your lead data protection supervisory audit.