Preparing your business for the new GDPR
The General Data Protection Regulation (GDPR) is a new piece of EU regulation intended to strengthen and unify data protection. It introduces new requirements for those processing personal data, as well as tougher penalties for data breaches.
Any business which controls or processes personal data needs to be aware of the changes and prepare before it replaces current data laws.
Similar to the Data Protection Act (DPA), the GDPR places significantly more legal liability on those maintaining records of personal data and processing activities if they are responsible for a breach.
The law will apply in the UK from 25 May 2018. It will be implemented here despite Britain’s exit from the EU, as we will not have departed by the time it applies, and any future policies may well be based on it.
A snapshot of the changes:
- Maximum fines for serious breaches could rise to as much as €20m or 4% of worldwide annual turnover, whichever is greater
- A requirement to report data breaches to the ICO within 72 hours
- A wider definition of personal data to reflect evolving technology
- Mandatory appointment of a Data Protection Officer for some companies
The Information Commissioner’s Office recommends 12 steps your business can take now…
Make sure key decision makers in your organisation are aware of the changing law.
2. Information you hold
Document what personal data you hold, where it came from and who it is shared with.
3. Communicating privacy information
Review your current privacy notes and plan a timeframe to make any necessary changes.
4. Individuals’ rights
Check your procedures to ensure they cover all the rights individuals have, e.g. how you would delete personal data or provide data electronically.
5. Subject access requests
Plan how you will handle requests within the new timescales.
6. Legal basis for processing personal data
Identify your legal basis for carrying out any data processing you do.
Review how you currently seek, obtain and record consent.
Think about putting systems in place to verify individuals’ ages and gather parental/guardian consent for data processing
9. Data breaches
Make sure all staff are aware of the correct procedures to detect, report and investigate a data breach
10. Data Protection by Design and Data Protection Impact Assessments
Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments.
11. Data Protection officers
Somebody should be designated to take responsibility for data protection compliance. This may mean formally designate someone as your data protection officer (DPO). Most SMEs will not require a DPO, but it would be worth checking.
If you operate in more than one EU state, then you should choose the lead authority – namely where your main establishment is.
The new General Data Protection Regulations are follow the same concepts and principles as the Data Protection Act, with a few additions accounting for the significant changes in data over the past 20 years. However, if you currently comply with the Data Protection Regulations, as long as you follow these steps then you should find that you will be complying with the new regulations also.
If you would like to talk to an insurance adviser about ways to protect your liability, or for products that may assist you in the event of a breach, then call Fiveways today on 01952 812380 or email firstname.lastname@example.org.