The looming GDPR deadline has sent many organisations into a frenzy as they scramble to meet the regulations. But what is it, who does it apply to, and what do you need to do?
What is GDPR?
The General Data Protection Regulations (GDPR) will replace the long-standing Data Protection Act 1998. The new regulations are designed to protect all EU citizens’ personal data and come into force on 25th May 2018.
Who Must Comply with GDPR?
Every organisation that processes or holds personal data belonging to EU citizens must comply with GDPR. The regulations don’t only apply to EU organisations, but any organisation worldwide that holds the information of EU citizens.
Businesses who do not comply with GDPR will face high penalties and fines of up to €20 million or 4% of their annual global revenue, whichever is greater.
What Information Does GDPR Protect?
The GDPR seeks to protect the personal data of EU citizens.
The definition of personal data is extensive and is defined as ‘any information relating to an identified or identifiable natural person’. It includes such details as:
- full name
- email address
- bank account details
- IP address
- mobile phone ID
- location data
This broad definition of personal data means it affects many organisations that would otherwise not consider themselves to handle ‘sensitive’ information. As a result, all businesses from SMEs to FTSE 100s may need to make changes to how they manage personal data.
What Will GDPR Change?
The changes will include:
- tighter requirements for how data is collected, stored and managed;
- increased rights for citizens to request access to their personal data or ask for erasure of their data;
- greater powers for supervisory bodies.
12 Steps to take in preparation for GDPR
Ensure decision makers and key people in your organisation are aware the law is changing to the GDPR. It is important they fully understand the impact it is likely to have on them individually and the organisation as a whole.
2. Information you hold
Carry out an information audit to identify the types of data you hold, where it came from and who you share it with. You will be required to maintain records of your processing activities. If inaccurate personal data has been shared with an external organisation, this organisation will have to be notified of the inaccuracy, enabling them to correct their records.
3. Communicating privacy information
Review your current privacy notices, putting a plan into place for making any necessary changes, in time for GDPR implementation.
4. Individual rights
Check your procedures ensuring they cover all the rights individuals have, including how personal data will be deleted, providing data electronically and a commonly used format.
5. Subject access requests
Update your procedures, planning how you will handle access requests, taking into account the new rules. For example, the timescale to comply will change from 40 days to a month. If your organisation typically handles a large number of requests, processes will need to be reviewed and possibly systems developed, to allow requests to be dealt with more quickly.
6. Lawful basis for processing personal data
Identify the lawful basis for your processing activity in the GDPR. This should be documented to help you comply with the ‘accountability’ requirements. You will also be required to explain your lawful basis for processing personal data in your privacy notice and when answering a subject access request.
Establish any changes that need to be made when requesting, recording and managing consent. Existing consents must be updated now if they don’t meeting GDPR standards.
Systems may need to be put into place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity.
9. Data breaches
Ensure you have the correct procedures in place to detect, report and investigate a personal data breach. You will be required to notify the Information Commissioner’s Office (ICO) of a breach that is likely to result in a risk to the rights and freedom of individuals. Failure to report a breach could result in a fine as well as a fine for the breach itself.
10. Data Protection by Design and Data Protection Impact Assessments
Refer to the guidance the ICO has produced on Protection Impact Assessments, as well as the Article 29 Working Party and establish how to implement them in your organisation.
11. Data Protection Officers
Consider if your organisation is required to designate a Data Protection Officer (DPO) formally. If so, identify someone to take responsibility within your organisation for data protection compliance and assess where this role sits within the present structure and governance arrangement.
Determine your lead protection supervisory authority, if your organisation operates in more than one EU member state, such as carrying out cross-border processing.
Every organisations journey to become GDPR compliant will be different. Each organisation should consider if and how GDPR affects their business and which of the steps above need implementing.
GDPR is being implemented by the ICO and a link to their website can be found here.