This is a short article we will be publishing as a business soon, and thought the St Albans Businesses Group would benefit from a sneak preview. We have been involved in a number of projects surrounding GDPR, and have a number coming up and expect this to get busier for us as the deadline approaches, and we believe that it will continue after that date as we still find, even though everyone is talking about it, not many businesses, in particular smaller ones, do not know about it.
Businesses are, these days, fed up with constant reminders about GDPR and perhaps resellers and organisations emailing and calling about products and services they offer to ease the GDPR pain thats coming up. Everyone knows the date, but what do you actually have to do ?
GDPR stands for General Data Protection Regulation, and for those who do not know, it essentially has been created to protect the data and information of EU residents, even if the business is based outside of the European Union. For years its been the Data Protection Act, GDPR is the DPA on steroids and requires businesses to take steps to minimise the risks of a data breach (through encryption and standard processes and procedures) and to maximise the security of the EU residents personal information.
What do you need to do ?
There are a number of steps involved, below are the basic first steps, in our opinion, needed to assist you to become GDPR compliant. I say compliant, as there is no certificate or procedure you can pass, but it enables to you have a good, solid, understanding and essentially be in control of your data.
- Awareness – appoint someone in the business to be responsible for Data Protection or have the additional role of the Data Protection Officer. Ensure decision makers, management and staff are aware of the new Regulation coming into force and its impact.
- Document the personal data you hold, where it has come from, who you share it with and its location, storage medium or application its housed in.
- Communication – Review your current privacy notices and see what amendments and changes need to be put into place to comply with GDPR with a timeframe.
- Procedures – ensure your procedures are in place and defined to cover individuals rights under GDPR. To include how to delete or provide personal data if a request were to be made,
- Subject Access Requests (SAR) procedures should be updated as the timescales to respond have been updated and you will need to provide information within the new timescales
- Consent – review the current methods for gaining consent and see if any changes are required in light of the new Regulation.
- If your business operates internationally, cross border EU member states, determine your lead data provider supervisory authority.
Key Changes from the DPA to GDPR
As a business or organisation that processes EU residents personal data, you need to meet the requirements of the Regulation. Why you should do it ? Basically the fines can be significant, up to 4% of the businesses Global Turnover, not profit, enough to cripple a business. Listed below are the key changes, in our opinion, of the changes from the DPA to GDPR.
- Data subjects, EU Residents, have the right to be forgotten.
- The role of the Data Protection Officer will be mandatory for certain types of organisation
- Any existing processes have to be considered, or new ones built, with Privacy by Design as a principle
- There are strict new requirements for notifications of a data breach
- Consent will be needed for any processing of Children’s data
- Restrictions on International Data Transfer
- If your business operates outside of the EU, it still has to comply with the Regulation
Any Brexit Impact ?
In a word, no. Your organisation will need to comply regardless of the status of Great Britain within the European Union
What are the steps your business is taking to the road of GDPR ?
Get in touch with us if you need any additional help – www.networkandsecurity.co.uk