May 25th sees the introduction of the new EU Data Protection regulations GDPR (General Data Protection Regulation). This new change represents the biggest change in data regulations since the Data Protection Act of 1998 was launched. One of the main objectives of GDPR is to give citizens more control over how businesses use their personal data as well as simplifying data regulations for businesses. The change in regulation will affect all EU businesses no matter the size, country or industry.
The change although expected is still causing chaos for businesses who are rushing to ensure they are completely ready to meet GDPR requirements by May 25th 2018. So what is GDPR and how do you prepare – the ICO has laid out steps to ensure you are complaint.
- Awareness – Business decision makers should be fully aware of the changes and the impact that it is likely to have
- Information You Hold – You should document personal data you hold where it came from and who you share it with. Customers can request all the data a company holds on them at any time.
- Privacy information – You should review your pivacy notices and plans in place to ensure the necessary changes are made to meet GDPR.
- Individual Rights – You should be clear on how you use individuals data including how long you hold data, how data is deleted and be able to provide individuals with all data you hold on them when requested.
- Subject Access Request – You will need to update procedures and plan how you will handle requests within the new timescales to provide information.
- Consent – Your business needs to ensure that you have consent to use customers data, you should review existing data and re-verify consent if required.
- Children – You need to put a process in place in regards to verifying individual ages and getting consent from parents or guardians to process a child’s data.
- Data Breaches – You should have a system in place to detect, report and investigate any personal data breaches.
- Data Protection Officers – Businesses should consider having a Data Protection Officer in the business structure to oversee and ensure that GDPR laws are met by the organisation.
- Data Protection by Design and Data Protection Impact Assessment – Be aware of the ICO’s code of practice on Privacy Impact Assessment and work out how and when to implement it in your organisation
- International – If your company operates in more than one country you should determine your lead data protection supervisory authority. Article 29 Working Party guidance will help you do this.
Whilst GDPR has been quite daunting to companies the key aims of GDPR is to ensure that companies take more care and are much more transperant with how they are using customer data, how long that data is held for and are accountable should anything go wrong such as that data being mistreated. Companies need to audit their current use of data to ensure they are complaint by May 25th 2018 which is fast approaching. Most businesses should be fine and GDPR should not pose much of a distraction to the everyday activities. It just calls for more care and responsibility in how customer data is used.