GDPR: Two year countdown starts nowby
On 25th May 2018, the EU’s General Data Protection Regulation (GDPR) will come into play for all of its 28 member states.
Despite the vast amount of information being publicised across member states, a recent survey found that 2 in 5 UK businesses are still unaware of the regulations.
While most businesses may see this as a distant future, a third of organisations (29%) don’t think the regulations apply to them at all.
But according to the Information Commissioner’s Office (ICO), most organisations, especially multinationals and those using large amounts of legacy data for marketing, should already be on countdown to the compliance date in two years’ time.
“The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades,” said outgoing commissioner, Christopher Graham, in April.
“Organisations simply cannot afford to fall behind. We know data protection officers understand this, and we know they sometimes find their views ignored in the boardroom. The new law gives directors 20 million reasons to start listening.”
Those 20 million reasons refer to the maximum financial penalty (€) the new regulations will slap on any business seen to breach compliance. With this in mind, last month, the ICO recently published a 12 step guide for businesses keen to get the ball rolling and ensure compliance, come 2018:
You should make sure that decision-makers and key people in your organisation are aware that the law is changing to GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communication privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11. Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organsation’s structure and governance arrangements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
Chris is Editor of MyCustomer. He is a practiced editor, having worked as a copywriter for creative agency, Stranger Collective from 2009 to 2011 and subsequently as a journalist covering technology, marketing and customer service from 2011-2014 as editor of Business Cloud News. He joined MyCustomer in 2014.