The General Data Protection Regulation (‘GDPR’) has brought about the most important changes to data protection law for twenty years. We can help you with that.
The GDPR significantly heightens the responsibilities of data controllers and processors as well as the rights of individuals, whilst introducing potential fines for non-compliance of up to €20 million or 4% of an organisation’s global annual group turnover whichever is the greater.
In addition to the penalties the loss of customer and stakeholder confidence could lead to loss of reputation and be catastrophic.
Elizabeth Denman the Information Commissioner has said:
”GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.
It’s an evolutionary process for organisations and 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
That said there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.
But we pride ourselves on being a fair and proportionate regulator and this will continue under GDPR.”
What does this mean for your organisation…
People in your organisation need to know that the law is changing to the GDPR.
Information you hold
You should know and have documented what personal data you hold, where it came from and who you share it with.
Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes ready for GDPR implementation. When you collect personal data you will need to tell people certain information.
Individuals’ rights will increase and put additional responsibilities on you.
Subject access requests
You need to update or introduce procedures as to how you will handle requests from people who want to access their personal data.
Lawful basis for processing personal data
You need to know and identify the lawful basis for processing personal data, document it and update your privacy notice to explain it.
You need to review how you seek, record and manage consent.
Are you able to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity? For the first time, the GDPR will bring in special protection for children’s personal data.
You need to have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments
GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. Data Protection should now be embedded into your working practices.
Data Protection Officers
You need to consider whether you are required to formally designate a Data Protection Officer (DPO).