The General Data Protection Regulation (GDPR) will come into force from 25 May 2018 and will determine how organisations process data across the EU.
However, despite this being only a year away, many companies haven’t even started to look at how compliant they are. But they risk substantial fines if they ignore the regulations or hope that Brexit means that UK companies will escape the EU regulation.
Who has to comply?
All organisations in the EU will need to comply to these new rules. Also, any organisations outside the EU that monitor EU residents or offer services or goods to EU consumers must also comply. The GDPR applies to all controllers and processors currently subject to EU data protection laws.
How to ensure you are compliant
Companies need to have vigorous policies and processes established to guarantee compliance. As an employer, you need to be aware of the changes and, importantly, to make your employees aware too. You will need to ensure you are up to date with the changes before they take effect.
Review the personal data you hold
You should evaluate what personal data you currently hold, where it’s held and how you received it. It’s worth undertaking an audit to understand if you’ve shared any of the information you hold with third parties. This will highlight any risky processing activities that may need addressing.
Evaluate privacy notices and policies
All organisations should conduct an appraisal of their privacy notices and policies to check they are accessible and written in plain language. You should change anything requiring amendment as soon as possible.
Know the rights of your data subjects
A data subject is a living person about whom you hold personal data..
Data subjects have the right to know how you use their personal data. They must also have access to their personal data when they wishand they must have the opportunity to correct their personal information if necessary. Furthermore, if you have passed on the data to a third party, the organisation must update it within one month, or for complex data, within three months.
People can request to have their data removed and organisations must action these wishes. This includes data passed on to third parties.
Companies and organisations should examine how they process data access requests and ensure they can meet the timescales set by the GDPR.
Processing personal data
Organisations whose data processing activities involved regular and systematic monitoring of data subjects on a large ssalce, or who process sensitive personal data on a large scale should appoint a Data Processing Officer who will be the primary contact point for data protection issues within the organization. . You should also document how and what data you’re processing and the legal basis for carrying out such processing. If you receive data processing services from a third party, you should also review any responsibilities you have and document them.
Putting procedures in place to show how you seek, obtain and record consent is very important. You may want to review whether you can show that you have a genuine interest in processing the data without consent, and that the data subject’s interests do not override this interest. If you rely on receiving consent from data subjects, you will need to prove that the data subjects gave their consent freely. You should also put in place procedures to verify your data subject’s ages, to ascertain whether you require parental consent.
Breaches of data
You should put in place policies that allow your organisation to spot and investigate any data breaches. If there are breaches, you must act quickly to make sure you comply with the time limits set by the GDPR.
Audit international business
If your company or organisation functions internationally, you need to look into what effect the GDPR will have.
Passing data to non-compliant organisations
If your organisation transfers data anywhere that doesn’t have adequate data protection regulation, then you must show that you have legitimate reason for transferring data to that location.