On 25 May 2018, the new General Data Protection Regulation (GDPR) is set to take effect. Under the new rules, organisations which collect, store and process individuals' personal information will be subject to new obligations, with an increased emphasis on accountability and transparency. Here, we outline some key steps you should take to help ensure that your business is prepared.
Businesses should make sure they have up-to-date records relating to the personal data that they hold. These records should include where the data came from and who it has been shared with.
Under the new GDPR, businesses must comply with the new 'accountability' principle, which outlines the need to demonstrate how they are abiding by the new data protection requirements.
Businesses must identify their lawful basis for processing activity within the GDPR, record this and update their privacy notices accordingly.
The GDPR will modify some individuals' rights, depending on a firm's lawful basis for processing personal data. If you use consent as your lawful basis for processing, clients will have a greater right to have their data deleted, if they so wish.
Your lawful basis will also have to be set out upon answering a subject access request. Businesses are advised to document their lawful basis so that they remain compliant with the accountability requirements of the GDPR.
Businesses should review any privacy notices they have and, where necessary, make sure that these are amended in time for the implementation of the GDPR.
Under the new rules, businesses are required not only to inform individuals about their identity and how they intend to make use of the data, but also to explain their lawful basis for processing the information, as well as outlining their data retention periods. Businesses must also inform their clients that they have a right to complain to the Information Commissioner's Office (ICO) if they believe that there is an issue with the way in which their personal data is being handled.
Businesses are urged to make sure that adequate security systems are in place to detect, report and investigate any breaches.
The new GDPR will introduce a requirement for firms to report certain types of data breach to the ICO. The ICO must be notified if the data breach may result in a risk to individuals' rights and freedoms. Businesses will also be required to inform affected clients in cases where the breach results in a high risk to individuals' rights and freedoms.
Larger businesses may wish to create policies for handling data breaches, and communicate these to their employees.
Businesses are advised to review how they seek, record and manage individuals' consent. Consent must be given freely, and should also be informed, unambiguous and verifiable.
The business must also provide simple ways for clients to withdraw their consent.
Appointing a Data Protection Officer may help to ensure that your business complies with the stringent GDPR data protection rules.
Public authorities, organisations that process health records or criminal records and organisations that monitor individuals on a large scale are required to appoint a Data Protection Officer.
These are just some of the key measures you should consider to help ensure that your business is ready for the introduction of the new GDPR. Further information can be found on the ICO website.