The EU General Data Protection Regulation (GDPR) comes into force in May this year. It heralds a new era for data protection and, despite Britain’s imminent exit from the EU, compliance is still going to be necessary. The UK Information Commissioner’s Office (ICO) will be responsible for enforcing the penalties in the GDPR if its requirements are not complied with – among them a fine of €20 million or 4% of annual turnover, whichever is greater. The ICO has suggested a checklist of action points for businesses looking to ensure compliance, which includes:
Awareness of the GDPR
Data is handled by everyone in your business, from high level management, to customer services. It’s crucial that everyone understands what the GDPR is and how it will impact them.
The data you hold
Do you know what information your business holds and how you’re currently processing it? This will be a crucial element in compliance and your IT infrastructure has a big role to play in ensuring you have full oversight.
The new rights individuals have
The GDPR has been designed to give individuals more control over their data, how it is handled and where. So, there is a new “right to be forgotten,” for example which will enable individuals to contact businesses to request that all data that business holds on them is deleted. This will be quite an ask for many organisations and will require new work flow, processes and adjustment to existing IT infrastructure.
Privacy notices and clauses
Businesses must ensure that these are fully GDPR compliant, which may require review and amendment to reflect GDPR rights, such as the right to be forgotten.
Subject access requests
Individuals can request a copy of all the information that a business holds about them – the business response must be made within a month so new internal processes will be required to ensure timely replies.
Changes to consent
The way that consent is obtained from individuals by businesses looking to process their data is changing radically. Consent must be freely given, informed, specific and unambiguous. So, if your business is still using pre-checked boxes, for example, it’s time to revise how you obtain consent from your customers.
Coping with a data breach
A breach of systems that results in lost or compromised data is already a potential nightmare for most businesses. The GDPR introduces new reporting requirements that mean it won’t be possible to keep something like this quiet. Data security is prioritised in the GDPR so if you’re not confident in the security of your IT infrastructure then it might be time for review.
Data Protection Officer
Many businesses will be required to appoint a Data Protection Officer who will be responsible for data protection compliance within the company. If your business handles sensitive data – or high volumes of data – this requirement is likely to apply to you.
The GDPR will mean significant change for many organisations. If you need support in ensuring that your existing IT infrastructure is ready for the GDPR we can help – contact us to find out more about our security solutions today.