With the introduction of the European Union’s General Data Protection Regulation now less than a year away, the data protection landscape is set to undergo a big shake up.
The GDPR outlines how the data of any EU citizen must be handled, wherever in the world the company in possession of this data operates, making it a truly global piece of legislation. It comes into force on the 25th May 2018. The requirements stipulated in the new legislation range from stricter rules around securing consent for the use of personal information to, in some cases, the introduction of a designated data protection officer within the workplace.
Importantly, businesses need to be aware that the GDPR will still apply to them when it’s introduced, even as the UK determines its exit from the European Union. Indeed, the regulation will affect all UK businesses that offer any type of service to the EU market, regardless of whether or not they store or process the data on EU soil.
Acting now will provide businesses with the necessary time to speak to legal counsel, as well as information security specialists so that their staff can be trained on new policies well in advance of the legislation being implemented in 2018. Above all, businesses that act now will reassure their customers, partners and employees that they take protection of their data seriously.
To help businesses fully prepare for the new data protection legislation, and to help mitigate the risks of a data breach, the ICO (Government’s Information Commissioner’s Office) has published a GDPR checklist that highlights 12 steps you can start to take now.
We’ve also created a short compliance test, to help you identify if you are at risk of breaching the new regulations and to help you to secure your data and avoid potential breaches.
Come May 2018, organisations will be expected to comply or face fines of up to €20m or 4% of annual worldwide turnover.
Take our quick data compliance test.
12 steps to take now to prepare for GDPR
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation
- You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
- You should review how you are seeking, obtaining and recording consent and whether you need to make any changes
- You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
- You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
- You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
- If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
Use our quick 6 question compliance test free to assess your compliance with the Data Protection Act and find out what your business can do to improve your security.