OVERVIEW OF THE GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR is a new regulation intended to strengthen and unify data protection for all individuals within the European Union (EU).
The GDPR takes force in the UK from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the Data Protection Act (DPA), it is likely that you will also be subject to the GDPR.
The GDPR places specific legal obligations on both controllers and processors, for example, requiring you to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to ‘personal data’ which is more detailed than the current DPA and information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
Audit and Guidance£375 +VAT
- Onsite visit
- Information audit
- Marketing and privacy guidance
- Data and cyber security advice
Templates and Training£875 +VAT
- Pre-populated procedures template
- Onsite training
In summary, you will be required to:
- Prepare and maintain documentation on your policy and for compliance with the GDPR;
- Appoint someone in your business to the point of contact for data protection;
- Review existing procedures for weaknesses and areas to strengthen ahead of the new regulations;
- Ensure you have a legal basis to hold personal data and have a valid reason for holding it;
- Ensure you keep any data protected and secure;
- Have procedures for reporting data breaches; and
- Keep your records up to date.
Below are some useful links to help get you started.
Disclaimer This overview should not be relied upon as comprehensive guidance but as a reminder of some of the key points of GDPR and users should refer to the Information Commissioner’s Office for more detailed guidance. Please see www.ico.org.uk. If you require further help with your planning please contact us.
The GDPR takes force from 25 May 2018. You should start planning so that on that date you can demonstrate compliance with the GDPR. Businesses are expected to put into place comprehensive but proportionate governance measures.
The following checklist will allow you to prepare for the GDPR by documenting existing procedures, looking for areas to strengthen. You will need to use your judgement to confirm you have proportionate governance measures if you complete the planning yourself or you may choose to use an external consultant. Document the actions you are planning to take and note the changes.
- Review all data held and ask “why is it held?” and “do you still need it?” and “is it safe?” Make sure you note the different sorts of data you hold e.g. employees, customers, suppliers, third parties;
- Look at your consent procedures as well as privacy notices on your web site and terms of business. Do you get customers to positively agree to you holding their data;
- Document the reasons you hold data e.g. consent, legitimate interests or a legal obligations to collect and process data;
- Plan how you will handle data requests and the right to be forgotten from individuals within the new timescales;
- Look at your processes to keep data safe, identify any problem areas (e.g. data held on mobile devices) and decide how you can reduce the risk of data breaches (e.g. encryption). This will mean looking also at your back-up security of data, computer and passwords and identifying new technology to help you comply with the GDPR;
- Document the procedures you have in place to detect, report and investigate data breaches and let everyone in your business know about your new data protection policy;
- Consider who in your business will be the person responsible for the GDPR and making sure all employees are aware of the new regulations and ensuring compliance.