GDPR – Are you prepared?
I know what your thinking… another article about GDPR – However it’s coming into play pretty soon, 25th May in fact, and companies and organisations need to make sure they are prepared because there are penalties and fines for failing to comply!
Here’s a quick run down on things you’ll need to take into consideration:
- What Information You Hold – Create a data map across the business which includes all personal data you hold. What data do you hold? Where did it come from? How was it collected? How long have you had it for – do you need it? Who is the information shared with?
- Training and Awareness – Make sure your staff and colleagues know the new rules. Anyone who is collecting a lot of data i.e. Reception will need to make sure that data is securely stored. Also, anyone who sends persons data externally or internally must make sure that data is transferred in a secure way and the correct permission to do so has been given.
- Privacy Notice – All companies will now need a Privacy Notice on their website, so show how data is processed within your company and detail each process. You’ll need to ask yourselves – Why do you need the data? What’s your legal basis for processing that data? i.e to complete an order. How a data subject (A data subject is any person who has their data on your database) can get in contact to access the data you have on them? And if any 3rd parties have access to their data and why?
- Individual Rights – The new policy states that a data subject the following rights: To be notified if you process their data, the right for their details on them to be changed, and to object their data being process at any time without a reason, unless the company has legitimate grounds to process the data anyway. The data subject also has the right to be forgotten, which means all their data must be deleted from your data base (if data has been sent to a 3rd party, you must extend the request to them also).
- Subject Access Request – Data subjects have the right to request a copy of any personal data you hold on them. You have 30 days to comply with the request otherwise this is classed as a breach of GDPR.
- Lawful Basis of Processing – You are required to identify the lawful bases for how you process data (should be detailed in your Privacy Notice) – Law processing must include at least one of the following – Consent to process, Performance of contract, Complies with legal obligation, protection of vital interests, Public interests, Legitimate interests.
- Consent – This is defined as: Any freely given, specific, informed and unambiguous indication of the subjects wishes by which he or she, by statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The subject must know what they are agreeing to and where and how their data will be used. It must also be as easy to withdraw consent as it is to give consent. Children’s data must always have the correct consent from a parent or guardian and is sensitive data.
- Data Breaches – There are quite a few ways to breach GDPR, so chances are most companies or organisation will suffer a breach at some point – even sending the wrong email to someone is classed as a breach. Policies need to be in place to detect, report and investigate a data breach. All breaches must be reported to the Information Commissioner’s Office (ICO) and or the data subject (depending on the severity of the breach) within 72 hours. There are 3 types of breach reporting: If the breach can affect the rights and freedoms of the subject, then they of course need to be notified directly. If the breach is large scale (a lot of data is compromised) but does not affect the rights and freedoms of the subjects, then the ICO need to be notified – but the subjects do not need to be contacted. If the breach is minor e.g. Lost laptop but the data is secure and backed-up, then there is no need to report it to the ICO, just record that it happened. In short, a breach is any instance where personal data becomes exposed to an unauthorised person – for example, a hacking of a computer, loss of a USB stick, data written on paper goes missing. It also includes accidental or unlawful destruction of data, loss or alteration, and unauthorised disclosure of personal data.
- Data Protection by Design – Make sure you are thinking about what data you have and what data you need rather than what you want. This will make it easier going forward to map where you data is instead of gathering the data first without a plan and trying to work out where it all is and who has it!
- Fines – There are 2 levels of fines: Lower level fines – Failure to obtain consent for processing children’s data, Failure to maintain written records, Failure to report breaches within 72 hours. Subject to administrative fines of up to 2% of annual turnover, or 10 Million Euros capped. Upper Level – Failure to adhere to the basic principles of consent, Abuse of data. Subject to administrative fines of up to 4% of annual turnover, or 20 Million Euros capped.
So there it is, your layman’s guide to GDPR and what it means for you and your business. The most important thing right now is making sure you have your Privacy Notice up and available for your customers or users to see, then make sure you have policies in place to map where and who hold data for each person on your system. After that you should be a good step forward with your GDPR compliance.