The General Data Protection Regulation (GDPR) is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU), and will apply from 25 May 2018, changing the way businesses manage personal data.
GDPR’s main concepts and principles are much the same as the current Data Protection Act, so most of your approach to compliance will remain valid under the GDPR and can be a great point to start from. However, the GDPR does come with some new elements which you will need to change and incorporate into your current processes and practice. Here we highlight the key areas you need to be aware of and act upon:
Awareness: This may seem simple but you must make key people aware that the law is changing to the GDPR.
Information you hold: It will be necessary to document all the personal data you hold including where it came from and who you share it with.
Communicating privacy information: Review your current privacy notices and put a plan in place for making any necessary changes.
Individuals’ rights: Check your procedures to ensure they cover all the rights individuals have.
Subject access requests: Update procedures and plan how you will handle requests within the new timescales
Lawful basis for processing: Identify the lawful basis for processing activity, document it and update your privacy notice to explain it.
Consent: Review how you seek, record and manage consent. Refresh existing consents if they don’t meet GDPR standards.
Children: Put systems in place to verify individuals’ ages and to obtain parental or guardian consent.
Data breaches: Put procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party. Work out how to implement these.
Data Protection Officers: Designate someone to take responsibility for data protection compliance. You should consider whether you are required to formally designate a Data Protection Officer.
International: If your company operates in more than one EU member state, you must determine your lead data protection supervisory authority.
Although the new law doesn’t come into effect until May 2018 it’s a good idea to start protecting your data as best you can now.
Cyber security is a huge part of GDPR and this week our blogs will help you to understand what you need to know.
Look out for our blog tomorrow “Cyber Security, what is it?”…
Get in touch and let HR Revolution run through a GDPR audit to see where and how quickly changes can be implemented.
Call +44 203 538 5311, email: firstname.lastname@example.org or visit: www.hrrevolution.co.uk where our expert CIPD HR professionals are waiting to help you with any questions you may have.
HR Revolution; supporting you, your employees AND your business.