The General Data Protection Regulation protects the personal data and privacy of EU citizens as well as regulating the exportation of personal data outside the EU. It is a European-wide law that will replace the current Data Protection Act 1998 in the UK.
Key Fact: If you are found to be non-compliant with GDPR, you shall be subject to administrative fines of up to €20,000,000, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. (Regulation (EU) 2016/ 679 of the European Parliament and of the council, 2017)
Here are 6 ways to prepare for GDPR:
1. Raise awareness within your business
The first step is to ensure the appropriate people within your business know and understand the new regulation. Speak to key individuals and ask them what is being done within your business to ensure GDPR compliance.
For smaller businesses who may not have a dedicated data controller, the Information Commissioner’s Office (ICO) has a dedicated section on their website to guide you through GDPR.
2. Take the GDPR self-assessment test
Start making preparations with the help of ICO’s GDPR checklist. This will help with identifying which areas of your business could cause compliance issues.
3. Keep a record of the data you hold
You are legally required to keep a record of the personal data you hold as well as where and when you acquired the data, and whoever you may have shared the data with. Records of your processing data will need to be maintained, which will help you comply with the GDPR’s accountability principle. This requires a company to show proof of how they comply with the data protection principles.
4. Update your business's privacy notice
Plan out any necessary changes by reviewing your current privacy notice. When you collect personal data, you are required to give certain information which is commonly done through the privacy notice.
The information which is currently given is your identity and the intended use of their data. However, under GDPR companies will also be required to give further information such as the lawful basis of processing the data, the retention period of the data and the individual’s right to complain if they think there is a problem with the way you’re handling their data.
It’s mandatory that all of the information is provided clearly and easy to understand.
5. Check your procedures cover individuals’ rights
Check and ensure that your current procedures cover all of the rights that an individual has, along with how their personal data would be deleted or provide the data electronically in a format that is most commonly used.
GDPR includes the following individuals’ rights’:
- the right to be informed;
- the right to object;
- the right of access;
- the right to erasure;
- the right to rectification;
- the right to restrict processing;
- the right to data portability;
- the right not to be subject to automated decision-making including profiling.
The right to data portability is new and only applies to the following:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract;
- when processing is carried out by automated means.
The information will be required to be provided in a commonly structured and machine-readable format, as well as being provided free of charge. To help be prepared for this you should consider whether revisions need making to procedures and then make the required changes.
6. Document your processing activity
It’s important to identify the lawful basis for your processing activity, as well as documenting it and updating your privacy notice to explain it. With the current law, this doesn’t have many practical implications, though this will be changing with the new law as some individuals’ rights will be modified depending on your lawful basis for processing their personal data. This will also need to be explained when answering an individual’s access request. Documenting this is essential to help you comply with the GDPR’s accountability requirements.
In summary, the key points to remember are as follows:
- Ensure everyone in your business is aware and understands the new regulations; Identify the areas of your business that may cause compliance issues;
- Check all data that you hold is recorded. Including where and when you acquired the data;
- Update your business’ privacy notice to include the lawful basis of processing the data, the retention period of the data and the individual’s right to complain if they think there is a problem with the way you’re handling their data;
- Check your procedures cover the individual’s rights, along with how their personal data would be deleted or provide the data electronically in a commonly structured and machine-readable format;
- Identify your business’ lawful basis for processing personal data so you can document it and update your privacy notice accordingly.
Don’t fall into the trap of thinking GDPR does not apply to you because it affects any business that processes the information of an EU resident. Start by understanding what GDPR is and understand the consequences of non-compliance. Act now to avoid hefty fines.
- GDPR Glossary
- Guide to the General Data Protection Regulation (GDPR) FAQs
- Regulation (EU) 2016/679 of the European Parliament and of the Council
- New advice line for SMEs
- The Top 10 Basic Changes Needed for GDPR Compliance
Regulation (EU) 2016/ 679 of the European Parliament and of the council. (2017, 12 7). Retrieved from European Commission: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Need More Information?
Find out what changes are occurring and how we can help your business by clicking the link below.
For more information call +44 (0) 3333 1111 00 or email firstname.lastname@example.org