Be prepared for GDPR – free guidance and tips

If you are currently subject to the DPA, you are likely to be affected by the General Data Protection Regulations (GDPR). Now is the time to begin preparing by making small changes in order to be ready for the new rules. 

The Data Protection Act is being replaced on 25th May 2018 by the GDPR which will bring stricter responsibilities on businesses and individuals, and large fines for not following the rules.

Also, the Information Commissioner’s Office (ICO) produces updates so regular visits to the ICO website are recommended.

The changes harmonise and strengthen the privacy rights of EU individuals regarding how their personal data is stored, managed, and deleted.

For businesses with over 250 employees, the changes are likely to have a significant impact.

GDPR is an opportunity for organisations to streamline processes and reshape how they manage personal data.

Download our free Hillyer McKeown GDPR countdown including practical tips, best practice guidance and a handy glossary of terms.

5 key questions businesses should be asking about GDPR now:

  • Where do we store personal data (including contact information), and is it secure?
  • Who controls and manages personal data within our organisation?
  • How do we obtain consent at the moment?
  • What IT systems and processes need to be reviewed to update holding and processing personal data?
  • Do we share personal data with any external contacts, and is it transferred across borders or outside the European Economic Area (EEA)?

How will the GDPR affect you and your business?

A. There will be stricter rules on consent

DPA now

There is an assumption that someone has automatically agreed to receive information from you unless they have chosen to ‘opt out’ by ticking a box.

GDPR from 25th May 2018

Part 1

GDPR removes the  assumption that someone has automatically agreed to receive information: they must actively choose to give their consent by ‘opting in’ to communications (allowing the organisation to capture, store and handle their personal data).

Part 2

GDPR goes even further.  The meaning of what has been agreed must be specific eg, opting-in to receive email updates, or phone calls, and there must be a legal basis for collecting and holding data.

Part 3

People must be able to withdraw their consent for specific types of communication at any time.

B. Enhanced rights for individuals 

This is one of the key features of GDPR, bringing the UK into line with some of the stricter rules within the EU.

The rights cover capturing, storing, managing and removing data.

Organisations will need to have in place a method of updating incorrect data, and a process which can quickly respond to someone’s request to see any personal data an organisation holds relating to them, and rapid notification of any data breaches which compromises their data.

C. Businesses held more accountable

This includes an organisation being able to demonstrate how it is complying with new measures, with a rolling programme to revisit policies, procedures and reporting.

Organisations are recommended to conduct privacy impact assessments and in some cases, appointing a dedicated Data Protection Officer who takes the lead with providing updates and ensuring compliance.

D. Data breach notifications

Rules around data breaches will be tightened under the GDPR.

Breaches will need to be reported to the Information Commissioners Office (ICO) within 72 hours of the data breach. The ICO is the UK’s independent authority which upholds information rights.

E. Significant fines

Again, the GDPR will bring in strict rules for those who fail to abide by the rules.

Fines can be 2-4% of global turnover or between €10 – 20M, whichever is greater.

Further GDPR guidance

The ICO has issued guidance for organisations on preparing for the new regulations and what actions to take.

For specific information from the ICO, please see the following:

If you have any questions about the GDPR and your legal requirements, please email our team: [email protected]