Resource type: Blog
Are you ready for GDPR?
25th May 2018 is a very important date for any business that stores or processes personal data. This is when the new General Data Protection Regulation (GDPR) takes effect, the biggest change to data protection law for 20 years.
The new regulation aims to improve the security with which sensitive data is handled and to protect the rights of the individual. It is vital that businesses establish in detail how the regulation will impact them and put their action plans in place.
Under GDPR, consent to store personal data will be more difficult to obtain and will have to be more explicit. There will be tighter privacy safeguards surrounding the processing of personal data. Businesses will need to provide an audit trail and documentation that demonstrates how they have followed best practice in data security.
Any security breach must be notified as quickly as possible, within 72 hours of the discovery of the breach at the latest, and if any individuals have been put at risk by the breach, then they must be informed directly.
If the processing of personal data is one of your core activities, or if you handle particularly sensitive personal data, you must appoint a Data Processing Officer to be the person responsible for ensuring compliance with GDPR.
Individuals have the right to request a free copy of any personal data that you hold on them. They also have the right for this to be provided in a software format that allows them to transfer their business easily to a new supplier. They have the ‘right to be forgotten’ and can demand that the data you hold is securely deleted or that any errors in the data are corrected. They also have a right to object to you processing their data.
If your business is affected by GDPR, the first step will be to audit the personal data that your business holds and check the legal basis on which you hold it. For example, the level of consent that was given for you processing the data may not be valid under the new legislation, so you may need to either update your permissions or securely delete the data. You may not be able to use data collected prior to GDPR if it was obtained in a manner which is not compliant with GDPR.
You will also want to conduct a thorough review and update of your Data Protection Policy and the wording of any privacy notices you use when obtaining personal data. You must also have a plan in place for responding to requests for copies of personal data and the procedure you will go through to identify and report any security breach. Bear in mind that there will be stiff new penalties for any business found in serious breach of GDPR.
The Information Commissioner’s Office (ICO) has created a wide range of useful material and guidance to help businesses. These include helpful checklists to steer you through the steps you need to take to ensure compliance.
You can see these ICO resources at https://ico.org.uk/for-organisations/data-protection-reform/
Remember that the sooner you start getting ready for GDPR, the less likely you will be to encounter problems when 25th May 2018 arrives.
Superfast Business Cornwall has a Guide to GDPR which in free-to-access by registering for our Knowledge Bank at: www.sfbcornwall.co.uk/knowledge-bank