25th May 2018 will see the biggest reform to Data Protection law in almost two decades, with the implementation of the General Data Protection Regulation (GDPR).
Even though the UK is leaving the EU, Brexit won’t affect the GDPR. The government has already confirmed that businesses still need to comply with the new regulations.
Since the Data Protection Act (DPA) came into force almost 20 years ago, people have completely changed the way they use the internet, mobiles, social media and e-commerce. As a result, businesses and organisations have started collecting and processing personal data in new ways too. The GDPR is intended to bring the law into line with reality.
If you’re already compliant with the DPA, you’ll probably be compliant with much of the GDPR too. However, there are some important differences.
GDPR tightens up the rules on how companies can use personal data. If you gather, process and store information about your users or customers, you’ll need to be far more transparent about how you do it. You’ll need their explicit consent up front – or, for children under 16, consent from a parent. It’s not enough for people to give their consent implicitly; they must actively say that they agree to share their data. They’ll also have new rights to change their minds, see what data you hold or ask for it to be deleted.
Behind all these new regulations are some serious penalties for non-compliance. Local Data Protection Agencies will be able to impose fines for violations of up to €20m, or 4% of a firm’s global turnover. Also, groups of people who feel they’ve been victims of breaches can join forces to take action against the offending firms.
The Information Commissioner’s Office (ICO) has put together a twelve-point plan and advise organisations to start preparing now to make sure you’re compliant with GDPR by the time it comes into force. You can read the full plan here (PDF), plus we’ve put together a quick summary below.
- Know the law. Everyone who will be affected by the new regulations needs to know about them, and how their work will be affected.
- Know your data. An essential first step is to document what personal data you hold, where it came from, how you process it and who you share it with. This may mean carrying out an information audit.
- Revise your notices. Look at how you tell people about your privacy policies and how you use their data, and plan to make any necessary changes before the new law comes into force.
- Check individuals’ rights. Your procedures need to take account of the new rights people have under the GDPR. For example, think about how you would delete personal data, or provide it electronically, if someone asked you to.
- Think about access requests. Start thinking about how you’ll deal with requests to access personal data within the necessary timescales.
- Check the legal basis for processing data. Review the way you currently process people’s data and make sure there is a sound legal basis for doing so. Make a record of this legal basis in case you need it later.
- Consider consent. Review how you seek, obtain and record people’s consent to gather and store their information, and identify what needs to change.
- Make plans for children. You may need a way to verify people’s ages, and get parental consent to process their data if they’re under 16.
- Plan for breaches. You will need to make plans for how you’ll detect, report and investigate a personal data breach.
- Prepare for PIAs. Read the ICO’s guidance on Privacy Impact Assessments (PDF), and work out when and how you might need to carry them out.
- Choose a DPO. You may need to choose or appoint a Data Protection Officer to oversee everything that needs to be done in order to comply with the GDPR.
- Know your nationality. If you operate internationally, you’ll need to know which data protection supervisory authority you come under.
Complying with the GDPR is about getting rid of data you don’t need, as well as safeguarding data you’re actually using. That’s why it makes sense to start working with a partner who can dispose of all your unwanted records, whether they’re held in paper or electronic format. With a contract in place, plus a robust policy on when and how you’ll dispose of confidential data, you can be confident that your organisation isn’t holding on to information that could make you non-compliant with the new regulations.
Speak to one of our secure shredding specialists today about your confidential data disposal requirements.