On 25th May 2018, Europe’s data protection rules will undergo their biggest change in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased. Simply put, the old regime was no longer fit for purpose.
There is a lot of “scaremongering” around the potential impact for businesses, but for those businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act. For businesses already complying with the current data protection law, it’s highly likely they will be meeting many of the GDPR principles.
The differences, however, are……
* The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent, and consent must be able to be withdrawn at any time.
* Accountability is key. Businesses and organisations must be able to demonstrate they comply with the GDPR principles which means being more accountable for their handling of people’s personal information. Crucially, it is the businesses’ responsibility to ensure compliance. Mandatory activities to demonstrate compliance include:
o Staff training
o Internal audits of data processing activities
o Internal HR reviews
o Appoint a data protection officer (if over 250 employees)
o Maintain all documentation
o Meet all the principles of data protection
o Implement Protection Impact Assessments
* Under the GDPR the right for businesses to charge £10 if an individual wants to access information held about them is being scrapped. Requests for personal information can be made free-of-charge. When someone asks a business for their data, it must produce the information within one month.
* The GDPR also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.
* One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, if it requires and doesn’t have a data protection officer or if there’s a security breach, it can be fined.
25th May will be here very quickly!
I can help you produce the following:
1. A privacy notice for employees, workers and contractors that notifies them about the personal data that the employer holds relating to them, how they can expect their personal data to be used and for what purposes.
2. A memorandum to a board of directors outlining the key issues concerning the GDPR, the need for a company-wide programme addressing these issues and what this programme needs to include.
3. A privacy standard (previously, a data protection policy) setting out the principles and legal conditions that organisations must satisfy when obtaining, handling, processing, transporting or storing personal data in the course of their operations and activities.
Call me on 07917 878384 or email me firstname.lastname@example.org if you need help!