Are you GDPR Compliant?
You may be asking yourself what is GDPR?
GDPR refers to the European General Data Protection Regulation in EU law on data protection and privacy for all individuals within the European Union. GDPR is an EU wide change to data protection laws. GDPR comes into place on 25 May 2018 and will replace the current Data Protection Act (DPA)1998.
Even with the UK’s forthcoming Brexit from the European Union, UK businesses will still need to comply to GDPR if the data they hold is about EU citizens, that can potentially identify individuals within the EU. The UK will replace the Data Protection Act 1998 with legislation that mirrors GDPR Post-Brexit.
All businesses, large or small or anyone who controls or processes data will need to comply with the new regulations regarding the secure collection, storage, and usage of personal data.
There are two objectives of GDPR:
Giving individuals back control of their personal data
Simplify the regulatory environment for international business by unifying the regulation with the EU
The Information Commissioners Office has prepared a GDPR 12 steps to take now guide. The checklist highlighting 12 steps you can take now to prepare for the General Data Protection Regulation (GDPR) by 25 May 2018.
The checklist highlights the following:
- Awareness – You need to ensure decision-makers and key people in your organisation are aware that the law is changing to GDPR and the impact this is likely to have.
- Information you hold – You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Communicating privacy information – Review current policy notices and plan for any changes in time for the implementation of GDPR.
- Individual’s rights – Check procedures cover all the individual rights. How personal data is deleted or provide electronic data in a commonly used format.
- Subject Access Requests – Update procedures and how you handle requests within the new timescales.
- Lawful basis for processing personal data – Identify lawful basis for processing data in GDPR, update privacy notices and policies.
- Consent – Review how you obtain, record and manage consent.
- Children – Do you need to put a system in place to verify individuals, ages and obtain parental consent?
- Data Breaches – Have procedures in place for reporting Data Breaches within 72 hours.
- Data Protection by Design and Data Protection Impact Assessments – Familiarise yourself with the ICO Code of Practice on Privacy Impact Assessments.
- Data Protection Officers – Do you need a designated Data Protection Officer for your organisation or Data Controller for small businesses?
- International – Does your organisation operate in more than one EU member state?
Please note this advice is published as a useful guide and is not exhaustive.
Should you have a specific query, please refer to ICO’s Contact page.