The first step to making sure that you are ready for GDPR is understanding what GDPR is – GDPR stands for General Data Protection Regulation and will come into effect in the UK from 25th May 2018. The new GDPR is an EU law giving extra rights to individuals regarding their personal information and how it is stored and processed. This will bring a new challenge to UK businesses, as tougher data protection laws come into force, raising standards in data control and processing – and now is the time to prepare. Brexit will have no impact on the GDPR requirements. The UK Government has made it very clear that it will be implementing the new rules regardless.
In brief, this new framework means customers or clients can challenge the accuracy of any data held on them and demand to know how their personal details are being used. Organisations will have to respond to enquiries quickly – within a month, rather than the current 40 days – and won’t be able to charge for providing a response.
Depending on the type of business you run, individuals may have the ‘right to be forgotten’ (to have their personal data removed from your system) unless there is a legitimate reason for keeping it there.
In some circumstances, individuals can withhold consent for data-processing or request that you transfer their details to another organisation.
There are various improvements to individuals’ rights that you need to be aware of. To find out how this affects your business visit the Information Commissioner’s Office (ICO).
Failing to prepare for this change in the law could land your business in hot water, as non-compliance may attract large penalties, even for very small businesses. Once GDPR becomes law, there is no further period of grace. Here are a few tips on preparing for GDPR:
- Carry out an information audit across your organisation.
- Document what personal data you hold, where it originated and who you share it with.
- Educate your key staff on the GDPR and work together to identify where improvements are needed.
- Check that your procedures cover all of the new rights that individuals will have.
- Agree a timetable for implementing new procedures ahead of 25th May 2018.
- Review existing privacy notices – Under GDPR you’ll need to clarify your lawful basis for processing the data, your data retention periods, and the fact that people have the right to refer to the ICO if they have a complaint about how their data is being handled.
- Review how you seek, record and manage consent for storing and processing data.
- Refresh existing consents if they don’t meet the GDPR standard.
- If you provide services to children, obtain consent from parents or guardians.
- Plan procedures in advance to deal with any data breach that may occur after 25th May 2018 – there are strict rules about reporting breaches.
Assuming you are already compliant you already have a strong platform to begin as many of the principals are the same as the current Data Protection Act. The best place to stay up to date and find answers to your questions is the Information Commissioner’s Office’s website. The ICO has also created a 12 step guide to help you prepare.
These tips are for general information only. You will need to know the requirements of GDPR in depth and apply them to your organisation. Checklists are available from ICO.