GDPR comes into effect in 2018. It will affect all businesses. What steps should your firm be taking to prepare for GDPR?
The General Data Protection Regulation (GDPR) is due to come into force on 25th May 2018. GDPR will supersede the UK’s Data Protection Act 1998. It will affect all businesses in the UK and the EU, along with any businesses that deal with data belonging to EU citizens. In this blog we will take a look at the steps your firm should be taking to prepare for GDPR.
What is GDPR?
The GDPR is a regulation that was created by the EU. GDPR was signed off in May 2016, at which point affected businesses were given two years to prepare for it to come into force. GDPR has been created in response to the changing ways in which businesses handle personal data.
Since the Data Protection Act 1998 came into being, the rise of the Internet and cloud computing has revolutionised the ways in which data is handled by businesses and not for profit organisations. GDPR gives individuals more control over the use of their personal data, and aims to create a more straightforward legal structure in which businesses can operate.
The main principles behind GDPR are similar to the Data Protection Act 1998. However, GDPR features a number of enhancements over the current legislation. From 25th May 2018, penalties for failing to abide by the GDPR’s principles will lead to fines of up to 20 million euros or 4% of global annual turnover, whichever is greater.
How to Prepare for GDPR
The Information Commissioner’s Office (ICO) has produced a checklist that highlights 12 steps businesses should take to prepare for GDPR. The ICO exists to uphold information rights in the public interest, and they cover the current Data Protection Act 1998 legislation in the UK.
The ICO’s 12 steps to prepare for GDPR are as follows: –
- Awareness: key stakeholders within your business need to be aware of the transition to the GDPR.
- Information you hold: all personal data your business holds needs to be documented, noting where it came from and who it is shared with.
- Communication privacy information: your privacy notices should be reviewed, with plans to make amendments in time for when GDPR comes into force.
- Individuals’ rights: your procedures need to cover individuals’ rights, including the deletion or provision of personal data upon request.
- Subject access requests: access requests will need to be handled more quickly under GDPR. You will need to prepare to deal with these new timescales.
- Legal basis for processing personal data: your business needs to identify and document the legal basis for the data processing that you carry out.
- Consent: review how consent is sought, obtained, and recorded, and establish whether any changes are required.
- Children: GDPR requires that you verify individuals’ ages, and if necessary obtain parental or guardian consent prior to data processing being carried out.
- Data breaches: under GDPR, businesses will face potentially heavy fines for suffering data breaches. Ensure that any data breaches can be detected and investigated.
- Impact assessments: the ICO has produced guidance on Privacy Impact Assessments, which will help you understand when they should be implemented at your business.
- Data protection officers: your business will need someone to take responsibility for data protection compliance. This may be a Data Protection Officer, or the role may be found elsewhere within the business.
- International: businesses that operate internationally should determine which data protection supervisory authority they are governed by.
Prepare Your Business
If your business already complies with Data Protection Act 1998 requirements, these will form a solid foundation from which you can build towards GDPR compliance. However, there are a number of areas where GDPR differs from the Data Protection Act 1998, and so to prepare for GDPR you may wish to engage with specialist support. Contact Capital Support if you’d like to discuss your business’s GDPR preparedness.