Author: JP / / Latest News
- 1 GDPR
- 2 Why?
- 3 Will It Affect me?
- 4 What Do I Do Now?
- 5 The 12 Steps
- 6 Awareness –
- 7 Information You Hold –
- 8 Communication Privacy Information –
- 9 Individuals Rights –
- 10 Subject Access Requests –
- 11 The changes to this area include:
- 12 Lawful Basis for Processing Personal Data –
- 13 Consent –
- 14 Children –
- 15 Data Breaches –
- 16 Data Protection by Design and Data Protection Impact Assessments –
- 17 Data Protection Officers –
- 18 International –
- 19 Don’t Stress!
GDPR is the General Data Protection Regulation and is replacing the current Data Protection Act (DPA). It will be implemented on 25th May 2018. At the moment, it is still a working document and changing daily.
It is being brought in to strengthen and unify data protection for all individuals within the EU. Although, Brexit talks are in place, the GDPR will be in place before/if Britain leaves the EU.
Will It Affect me?
It will affect everyone in the EU, even if it is only on a personal level. The GDPR is a working document, but overall, it is giving the individual more rights to the control data that companies hold on them.
Companies will have to put some steps in place to comply with GDPR. ICO have created a handy guide which helps self-assess how ready your company is for GDPR. The guide can be found here https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/.
What Do I Do Now?
Firstly, try to get your head around what GDPR is.
Secondly, start preparing. Start reviewing your current data protection policies.
Thirdly, you can go to the ICO website and find many useful articles and documents which explain GDPR. There are also documents on what to do and how to get ready.
One of the most useful resources is the, 12 steps to take now guide. It gives prompts on how to start preparing for GDPR so it isn’t so daunting the closer May 25th gets.
This can be found here https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
The 12 Steps
Here are the 12 steps summarised. More information can be found in the guide linked above.
Make sure your key decision makers, and people whose work practice will be affected, know about GDPR.
Information You Hold –
Make a list of what data you hold and where it came from. Also make a list of who you share it with. If you outsource your Marketing, list that they have that data from you.
Communication Privacy Information –
Individuals Rights –
The individual rights that GDPR includes are, the right to:
- be informed
- restrict processing
- data portability
- and to not be subject to automated decision making.
Therefore giving the individual more rights to their data.
Subject Access Requests –
The changes to this area include:
- Completing a Subject Access Request free of charge (if it isn’t manifestly unfounded or excessive)
- Must be completed within a month (previously 40 days)
- But if you feel the request is manifestly unfounded or excessive you can refuse to complete it. This does however, allow the individual the right to complain to the supervisory authority.
Lawful Basis for Processing Personal Data –
In the privacy notice you will have to explain the lawful basis for processing personal data. Documenting it now will help companies comply when GDPR comes into practice.
ICO have a detailed guide on this, which can be found here: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf.
To give consent to a company there must be a positive opt-in procedure. For example, a tick box must be clicked to opt-in. Pre-ticked boxes do not qualify. When you meet someone and they give you a business card, this also isn’t classed as consent. So that means you can’t add them to your quarterly newsletter for example. Consent must be freely given and the language used to explain what the individual is opting in for, must be specific, informed and unambiguous.
If your business or site is aimed at, or can be freely accessed by children, do you have systems in place for age verification? Do you have an area for parent/guardian to give consent for you to hold data about that child?
At the moment, children below 16 need a parent/guardian to give consent that you can hold data concerning them but this could drop to 13 in the future as the GDPR continues to be altered.
Data Breaches –
If you have a data breach you will need to inform ICO. This may already be part of your procedure, but when GDPR takes course, it is a must. In high risk cases of data breaches, (where specific information of individuals are involved) the individual must be contacted directly.
Data Protection by Design and Data Protection Impact Assessments –
GDPR makes privacy by design an express legal requirement. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
Data Protection Officers –
It may be beneficial to designate someone as a Data Protection Officer. This isn’t mandatory unless your company is:
- A public authority.
- An organisation that carries out regular and systematic monitoring of individuals on large scale
- An organisation that carries our large scale processing of special categorical data.
- The Data Protection officer should have knowledge about GDPR and have the support and authority.
If your company operates in more than 1 EU country or state, then General Data Protection Regulation affects you. Using article 29 working party will aid this process.
ICO have a helpline, live chat and advice service for small businesses. So, if you have read this article and you need more help, contact ICO. This can be found on their website.