What is GDPR and what do I need to do?
In this blog, we highlight the basics of the impending GDPR legislation and the immediate steps that need to be taken. We will explore the impact on your communications in our next blog!
GDPR (General Data Protection Regulation) is an EU legalisation that comes into force in the UK on 25th May 2018 and applies to any business who handles data. Although this might seem a while away, it is important to understand the law and to ensure the processes are in place to comply. This will be the biggest shake up in the regulation of data since the Data Protection Act 1998. Additionally, the sanctions for non compliance are quite simply, huge. The purpose of the new law is to:
- strengthen data protection for all individuals within the EU.
- account for new and emerging technologies.
- give control back to citizens and residents over their personal data.
- simplify the regulatory environment for international businesses by unifying regulation within the EU.
The new GDPR principles set out the expectation of data controllers and processers when handling and processing personal data and are set out on the ICO website.
In a nutshell, any organisation that touches, processes or holds personal data will be affected by this new GDPR legislation. Companies will need to show their data protection is compliant, for example maintaining written policies and conducting compliance audits. The amount of data used should be minimised and there should be increased transparency with your data, as the consumer will have increased control over their own data (for example, they can ask for it to be deleted at any time). Companies will also need to increase the explicit consent and opt in when collecting data.
What is changing and what does this mean in practice?
- Consent – the requirement for consent has tightened, clear affirmative action must now be taken. Pre ticked boxes are no longer allowed when obtaining consent, consent must be expressly obtained and opted in.
- Transparency – make it clear either when speaking to customers or in copy, that customers understand how their data will be used, for example, contacting them about your products / services, email marketing campaigns etc.
- Access / control – individuals will have the right to access their data quicker and request that their data be deleted. Individuals become true “data owners” for the first time. Ensure processes are in place to measure and record requests for data to be deleted.
- Design – data controllers will now be responsible for their actions by demonstrating that privacy is hardwired into day to day operations. Ensure you can show evidence of this as an organisation.
- Breach – new statutory obligations to report to privacy regulators where there is harm to individuals. Ensure process are in place internally to do this in a thorough and timely manner.
- Sanction – huge sanctions associated with this, imposed up to €20 million or 4% of worldwide turnover. This highlights how important it is to get this new legislation right.
What information does this apply to?
- Personal information such as names, addresses, contact details etc.
- Documentation such as passport copies, driving licenses etc.
- Confidential information such as bank details, bank statements, credit card details etc.
- Correspondence such as call recording and emails.
- CCTV recordings
- Recruitment and leavers data
- Employee payroll and personnel files
- CRM activity
- Web analytics, such as cookies etc.
- Invoice and expense forms
- Corporate accounts data such as forecasts, budgets etc.
12 steps to prepare for GDPR legislation as recommended by the ICO
1. Awareness – make sure key people within your organisation know that the law is changing and the impact that GDPR will have.
2. Information you hold – you should document all the personal data you hold, where it came from and who you share it with. This may involve organising an internal information audit.
3. Communicating privacy information – review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights –check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data in a commonly used format.
5. Subject access requests –update your procedures and plan how you will handle requests within the new timescales and provide and additional information.
6. Lawful basis for processing personal data – identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent – review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
8. Children – think about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9. Data breaches – ensure you have the right processes in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments – familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
11. Data Protection Officers – designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
12. International – if your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority.