The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes EU member state implementations of the 1995 Data Protection Directive (DPD).
The new law marks a wide-reaching and significant shift in the way that organisations of all sizes must protect personal data.
The key changes introduced by the Regulation are:
- The definition of personal data is broader, bringing more data into the regulated perimeter
- Consent will be necessary for processing children’s data
- The rules for obtaining valid consent have changed
- The appointment of a data protection officer (DPO) will be mandatory for certain companies
- Mandatory data protection impact assessments have been introduced
- There are new requirements for data breach notifications
- Data subjects have the right to be forgotten
- There are new restrictions on international data transfers
- Data processors share responsibility for protecting personal data
- There are new requirements for data portability
- Processes must be built on the principle of privacy by design
- If your business is not in the EU, you will still have to comply with the Regulation
- The GDPR is a one-stop shop
As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.
The principle of Accountability – Data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate, and where necessary, be kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
Here are 12 Steps that your organisation can take now:
- Ensure all decision makers in your organisation are aware the law is changing to the GDPR.
- Document all the personal information you hold, where it came from and who you share it with – undertake and information audit
- Review your current privacy notices and implement a plan to make the necessary changes
- Check your procedures to ensure they cover individual’s rights (ie, how you would delete personal data)
- Update your procedures and plan how to handle requests within the new timescales
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notices
- Review how you seek, record and manage consent and if they don’t meet the new GDPR standards, update them
- Identify whether you need to implement systems to verify individuals ages to obtain parental consent for children.
- Ensure you have procedures in place to detect, report and investigate personal data breaches
- Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and establish whether your organisation needs to implement them
- Designate Data Protection Officers within your organisation
- If your organisation operates in more than one EU member state, you need to determine your lead data protection supervisory authority.
We hope this brief summary has been useful in providing an overview however more detailed information can be found at https://www.eugdpr.org/