The GDPR (General Data Protection Regulation) comes into effect on 25th May 2018, and brings with it important changes for businesses.
It’s not a massive step away from the current Data Protection Act (DPA). Those of you who are currently compliant with the DPA will have a few ‘modified concepts’ to address, but will be most of the way to being GDPR compliant already.
The main changes are centred around the way in which data is held and processed. Restrictions are tighter and essentially gives people back control of their personal data.
Fines for non-compliancy are changing quite drastically too, increasing to a maximum of up to £20m Euros or 4% of global turnover – whichever is higher.
To help you avoid these fines and become GDPR-compliant, here are 6 things you need to be aware of:
1. Map and audit your data
You need to understand what personal data you have, where it’s stored, how it’s processed and what you tell people about how you’re using their data. This will help you understand whether you’re a data processor or a data controller – you may be both for different pieces of data.
Once you have established this, you can determine which pieces of data are more vital to protect. You will need to be clear on who is responsible for controlling and processing the data, making sure the correct contracts, policies and regulations are in place.
2. Consider your third-party processors
You may not be the only one processing your data – companies who you outsource to, such as payroll, pensions and health insurance organisations also need to be compliant.
3. Use of consent
This is an important one. Under the current DPA, consent to use people’s data (e.g. email addresses to contact them about offers, events etc) could be acquired on an automatic opt-in basis and the individual would have to take responsibility if they wanted to opt out from further communication.
With the GDPR, this is no longer the case. People are automatically opted-out and they must give consent to opt-in, and you must be able to prove that they’ve given it.
4. Fully informed
Data subjects need to be fully-informed about how and why their data is being processed and used. This means amending your T&Cs where appropriate to be fully transparent.
5. SARs (Subject Access Requests)
Currently, there’s a £10 fee if an individual makes a DSAR. Under the new GDPR, the fee is being scrapped and the time-limit for compliance is being reduced from 40 days to one month.
6. Data breach management
You will have 72 hours to report any loss or theft of data to the Information Commissioners Office, and to the affected individual without “undue delay”.
Compliance: a journey of 3 parts
Each organisation is unique and the road to compliance will be different as well. However, we believe that GDPR Compliancy is going to be achieved through working with three partners…
1. You need lawyers who can advise you on what data you hold, and how it should be treated (or, many of our customers are able to understand their requirements themselves, without needing to engage lawyers – but that’s your choice!). projectfive cannot provide legal advice, and the ideas discussed in this article do not constitute legal advice.
2. Your IT manager or company can work with you to ensure your Internal Infrastructure meets the standards recommended by the lawyers – in terms of CyberSecurity, Intrusion/Breach Detection and Auditing of who is accessing Personal Data and/or Sensitive Personal Data. And they might need to put in place some systems to help you if you expect to receive Subject Access Requests (SARs) from individuals.
3. Your external systems (such as your website or cloud-based CRM system) will need the involvement of the web-developers/software-providers/marketing-agencies to ensure compliancy with the lawyers’ advice.
We know that GDPR compliance can sound overwhelming, but we will work with you to make sure the process is as smooth as possible. With some preparation and planning, you will be ready for 25th May 2018.