How to Prepare and Protect Your Business with the Changing GDPR Laws
The 25th May 2018 sees the introduction of the EU’s new data protection reform; the EU General Data Protection Regulation (GDPR). The new rules will update and replace previous data protection acts, and will enable the general public to better control their personal data, regardless of where it is sent, stored and processed.
These new rules are being introduced to provide a uniform set of guidelines and standards that all businesses must comply with to protect their customer data when trading in the EU. If a business fails to comply with the new regulations, they will be subject to a fine of up to €20 million, or 4% of their global annual turnover; whichever is larger.
The GDPR has four provisions which include:
• Individuals will have more information on how their data is processed.
• It will be easier for individuals to transmit their data between service providers.
• Individuals will have the right for their data to be erased if there is no legitimate reason for it to be stored.
• Individuals will have the right to know if their data has been hacked.
Impact on businesses
The GDPR means that businesses can streamline their data protection, and capitalise on the simple and clear unified standards from having one central body for data protection and standardisation, rather than the current 28 laws. The new rules also mean that all EU trading businesses will operate fairly as they are all bound by the same guidelines, regardless of where they are established.
Businesses should also consider appointing a data protection officer (DPO) to implement safeguards from the early stages, and who will be responsible for overall data compliance. Organisation must appoint a DPO if they are a public authority, carry out large-scale systematic monitoring of individuals, or carry out large-scale processing of special categories of data such as criminal convictions and offences.
Preparing for the GDPR
Although the GDPR doesn’t come into effect until 25th May 2018, businesses are advised to prepare and ensure compliance by following the checklist prepared by the Information Commissioner’s Office (ICO):
1. Ensure all decision makers in your organisation are aware of the GDPR.
2. Audit the personal data you hold, where it came from and whom you share it with.
3. Review your current privacy notices and plan for making any necessary GDPR changes.
4. Check your procedures to ensure they cover all the rights individuals have; including how you would delete personal data.
5. Update your procedures and plan how you will handle requests to provide extra information.
6. Look at the data processing you carry out, identify your legal basis for doing so and document it.
7. Review how you are seeking, obtaining and recording consent.
8. Think about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for data processing.
9. Ensure you have the right procedures in place to detect, report and investigate data breaches.
10. Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments, and work out how and when to implement them.
11. Designate a Data Protection Officer, if required, or someone to be responsible for data protection compliance.
12. Determine which data protection supervisory authority you fall under if your organisation operates internationally.