GDPR stands for the ‘General Data Protection Regulation’. It’s been nearly five years in the making and after being published in the Official Journal of the European Union on 14th April 2016, officially came into force on 25th May, 2016. However, there is a two year transition period meaning its provisions will be directly applicable to EU States on 25th May 25, 2018, now less than a year away.
It replacesthe Data Protection Act, and is much stricter.
One of the informational PDF documents from the Government detailing how to prepare for the GDPR is insightful and lists 10 important steps businesses can take to ensure they’re ahead of the impending deadline. However, here is a brief summary of the key issues:
- Awareness: People in your organisation should be made aware that the law is changing. Make compliance in a year’s time easier by raising awareness now.
- Information You Hold: By the new rules, if you hold inaccurate data and have shared this with another organisation, you will be responsible for correcting it. Therefore you need to know the data that you hold, where it came from, and where you might have sent it.
- Communicating Privacy Information: Your privacy policies will need to be updated to incorporate the new things you need to tell people, such as your legal basis for processing their data – this will need to be done in clear, concise language.
- Individual’s Rights: Rights for individuals under the GDPR will include: having subject access, inaccuracies corrected, information erased, the ability to say ‘NO’ to direct marketing and automated decision making and the right to not be profiled by their data.
- Subject Access Requests: Subject access requests will have to be dealt with in a month.
- Legal Basis for Processing Data: You will have to explain your legal basis for processing personal data.
- Consent: You need to review how you are obtaining consent and ensure it adheres to the GDPR rules.
- Data Breaches: Some organisations already have to notify the ICO of a data breach, this will become the case across the board.
- Data Protection by Design & Data Protection Impact Assessments: This will become a legal requirement.
- Data Protection Officers: The GDPR will require some organisations to designate a data protection officer.
There is a lot to digest! Things will get a lot stricter around data protection. Business owners and those processing data should start looking at adhering to the pending regulations now, not leave it until May 2018!