Several of our clients have been asking if we can help them get up to speed with the new General Data Protection Regulation (GDPR) legislation which comes into force on 25th May 2018. The answer is a resounding yes! We’ve already helped numerous clients with this over the last few months and have developed a simple step by step approach.
Here’s a whistle stop tour of GDPR and what you need to know:
What is GDPR?
GDPR is a new privacy law which governs the collection and use of data relating to all individuals within the EU. It will give people more rights and protection around how their personal data is processed, used and shared between and by organisations. It introduces tougher fines for non-compliance and gives people more say on what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
But what about Brexit?
GDPR doesn’t affect just EU-based organisations – any business that processes the data of EU citizens must comply with the regulations, even if that data is processed outside of the EU.
What are the main things that are going to change?
Your organisation will likely need to change how it collects, manages and administers data. Moving forward:
- You need to give a clear reason for collecting data.
- You must have positive consent from an individual that shows they are happy to receive future communications.
- GDPR requires you to show how you enable compliance – e.g. by documenting the decisions you take about a data processing activity. You are responsible for everyone in your supply chain, so if you have a sub-contractor processing personal data, choose them with care.
- People have the right to view and/or amend data upon request, or even have it destroyed under the “right to be forgotten”.
What is the penalty if we fail to comply?
Supervisory authorities now have powers to undertake on-site data protection audits and to issue public warnings, reprimands and orders to carry out specific remediation activities. Companies that fail to comply are liable to a penalty of up to €20m or 4% of global annual turnover (whichever is greater).
What recommended actions should we take?
- Even though it’s not a legal requirement, it would be a good idea to appoint an expert or a dedicated Data Protection Officer. They can work with departments within the organisation and advise on all matters relating to Data Protection law.
- Implement training for all staff and put detailed confidentiality provisions in employees’ and consultants’ contracts.
What can I do now to prepare for GDPR?
- The first thing is not to panic. The new legislation is an opportunity for you to review how you currently process data and make sure you’ve got plans in place to make any changes necessary to be ready for May 2018. Compliance is an ongoing, dynamic process but through good planning; structure and teamwork, you’ll be fine.
What can Ignition Law do to help?
We’ve developed a simple 3 step approach which covers everything you need to know to ensure you comply with the new legislation. This covers:
- Educating you and your colleagues – coming in to your offices to provide you with a short, informed talk on GDPR and how it will apply to you and your business. A whole organisation approach is helpful (where all employees know the basics) and this talk will help to do that.
- Auditing your data – either by providing you with a questionnaire to complete or coming in and holding interviews to determine exactly how you use data as a business.
- On the basis of the above, putting together data use and data breach policies for the whole organisation (including how to respond to any Subject Access Requests and any new requests to delete data held under the new GDPR ‘right to be forgotten’).
We hope this article has helped you understand the basics of GDPR and the changes that are afoot. If you’d like to talk to us about how you can be fully prepared for GDPR then do get in touch with firstname.lastname@example.org or email@example.com