The GDPR is a new regulation intended to strengthen and unify data protection for all individuals within the European Union (EU).
The GDPR takes force in the UK from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the Data Protection Act (DPA), it is likely that you will also be subject to the GDPR.
The GDPR places specific legal obligations on both controllers and processors, for example, requiring you to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to ‘personal data’ which is more detailed than the current DPA and information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
In summary, you will be required to:
- Prepare and maintain documentation on your policy and for compliance with the GDPR;
- Appoint someone in your business to the point of contact for data protection;
- Review existing procedures for weaknesses and areas to strengthen ahead of the new regulations;
- Ensure you have a legal basis to hold personal data and have a valid reason for holding it;
- Ensure you keep any data protected and secure;
- Have procedures for reporting data breaches; and
- Keep your records up to date.
Please see https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ for further information on the GDPR.
The following actions checklist may be helpful:
- Review all data held and ask “why is it held?” and “do you still need it?” and “is it safe?” Make sure you note the different sorts of data you hold e.g. employees, customers, suppliers, third parties
- Make a list of devices where data is held
- Look at your consent procedures as well as privacy notices on your web site and terms of business. Do you get customers to positively agree to you holding their data?
- Document the reasons you hold data e.g. consent, legitimate interests or a legal obligations to collect and process data
- Plan how you will handle data requests and the right to be forgotten from individuals within the new timescales
- Look at your processes to keep data safe, identify any problem areas (e.g. data held on mobile devices) and decide how you can reduce the risk of data breaches (e.g. encryption). This will mean looking also at your back-up security of data, computer and passwords and identifying new technology to help you comply with the GDPR
- Is virus and internet protection software up to date?
- Document the business policy regarding personal devices and data
- Document procedures for ensuring any confidential data is encrypted
- Document the procedures you have in place to detect, report and investigate data breaches and let everyone in your business know about your new data protection policy
- Consider who in your business will be the person responsible for the GDPR and making sure all employees are aware of the new regulations and ensuring compliance.
- Has the business got “Cyber” Insurance and would it be beneficial?
- Would the business benefit from an independent data audit?