GDPR: 1 month countdown to new data protection law
On 25th May the Data Protection Act is being replaced by the General Data Protection Regulations (GDPR), and will affect all businesses which handle personal data of people within the EU member states (it will not be affected by Brexit). The rules are much stricter than previously, with potentially huge fines for businesses found to be in breach of the regulations.
With one month to go until the switch on to GDPR, what should your business or organisation be doing now to be prepared?
Why the change?
This change aims to harmonise and strengthen the data rights of people across the EU.
Who is affected?
Any business or organisation which handles personal data of EU individuals; this includes charities, within any sector and of any size. The change is particularly significant for organisations with more than 250 employees.
What are the key differences?
Stricter rules on consent – people must actively say yes to being contacted. This includes opting in to receiving marketing (which means no pre-ticked boxes), being very clear about what people are agreeing to, separated from any other process (not bundled up with T&Cs for example) and must offer the opportunity for anyone to change their mind and easily opt-out at any time.
Further information from the ICO on GDPR and consent.
Rights for individuals will be strengthened – including covering the secure destruction of personal data in paper and digital form (unless there is a legal reason to store the data such as for HR records), correcting data which is wrong, the right for a data subject to request details about the personal data an organisation is holding about them, and the right to be notified about a data breach.
More details from the ICO about GDPR and the rights of individuals.
Businesses will be accountable – which means complying with the new rules under GDPR and being able to show that the business complies. This will require accurate and complete records of processes involved with managing personal data. Additionally, businesses will need to consider how third parties handle personal data which is passed from your organisation (as the data controller) to them (the data processor).
Helping businesses prepare for GDPR from the ICO.
Notifying of a data breach – under GDPR, breaches will need to be sent to the Information Commissioner’s Office (ICO), the UK’s independent authority which upholds information rights. Breaches will cover loss of paper files and electronic data (this rule will particularly apply during transportation).
Data breach and the GDPR as covered by the ICO.
Potential for significant fines – businesses which do not comply can be fined 2-4% of their global turnover or between €10 – 20M, whichever is greater.
5 key questions businesses should be asking now about personal data:
- How do we collect personal data – what changes are needed to be compliant with GDPR (such as gaining consent through active opt-ins etc)?
- How do we process and control data – who has access / who should have access (for example password-protected folders which limited access on a need-to-know-basis)?
- Is the data secure – including electronic and paper file storage and transportation?
- Are our IT systems and processes secure – including sharing, updating and responding to requests for records?
- How do we share data with external contacts (including transferring across borders or outside the European Economic Area (EEA))?
Please download our free GDPR countdown checklist as a reference guide to help you be prepared for 25th May.
If you have any questions about the GDPR and your legal requirements, please email our team: [email protected]