Here’s a thing that’s cropping up quite a bit in conversation and across those social channels upon which we all love to share and comment. The General Data Protection Regulation (GDPR).
You may know all about it already, which is great. Or, you’ve heard about it but aren’t really sure what it’s all about. And then again, perhaps you haven’t heard about it at all.
Well, if you and your organisation capture, handle, store, or share any kind of personal data, then it’s actually something you really do want to get some kind of a handle on. And sooner, rather than later.
Because it’s kind of important.
Which is why, to get you on the right track, we’ve put together a handy little guide featuring the key points that you will need to know.
We’re nice like that.
The Important Questions
What is the GDPR?
It’s as good a place to start as any. GDPR, or the General Data Protection Regulation is a new set of EU regulations set to come into force, as a replacement to the existing Data Protection Act.
Is it already upon us?
No. The regulations don’t come into force until May 25th 2018. But dont do like you used to do with your Geography homework and leave it until the night before. There’s plenty you may need to check or put in place. So now would be a good time to get started.
Who Does It Concern?
It’s the rules and regulations for personal data protection, and every organisation within the EU must comply.
What about Brexit and Article 50 and all that jazz?
Doesn’t matter. Organisations from within the UK will still have to comply with the regulations when they come in. For one thing, the UK will still be in the EU in May 2018 so will be still held to their rules. Second, the Government have confirmed that they will be implementing GDPR regardless of Brexit.
Who Needs to Know About it?
Everyone in the organisation, or company. Business owners need to ensure that they have given their employees clear guidance on the regulations and procedures that need to be in place for due diligence. Saying ‘I didn’t know’ is not going to be a valid excuse.
The Key Requirements
All privacy notices that you issue need to be audited, and amended so that they comply with new guidelines.
Any personal data and information held needs to be accurate and up-to-date. Any organisation who shares data with another organisation, must make clear any changes made to the information contained within. If changes to data are made, you need to record these changes, to keep an accurate record / trail of the amendments.
Individuals are set to have much greater access to any of the personal data that an organisation stores on them. They will legally be allowed to view this data in entirety, as well as making it clear on the levels of profiling or direct marketing they will permit. Individuals can also request deletion of all data contained upon them, with organisation procedures and processes altered to ensure this is adhered to post-GDPR enforcement.
Ensure that your policies are in full compliance with new GDPR laws on granting clear consent for individuals to access their data
GDPR will enforce ever stricter rules upon organisations to ensure that they are taking all reasonable measures to guard against data theft, loss, or other breach. Clear evidence must be shown that you have taken diligent measures in regard to security software, physical security, and other aspects such as disaster recovery plans.
And if you do suffer a breach, then it is your duty to let the Information Commissioner's Office (ICO) know at the earliest possible moment.
Your terms of service need to reflect the seriousness that you take your obligations to security.
Organisations will be required to have an appointed Data Protection Officer to oversee all obligations and responsibilities. 3rd party or external officers are permitted, subject to approval.
And there you have it. Obviously, there’s a little more detail into which you’ll need to delve, but these are the key issues that need to be adhered to, and in place by May 25th 2018. It’s likely that a lot of this stuff is already happening in your company; but you do need to take the fine-tooth comb to your policies, procedures, and safeguards to make sure they comply. And to make sure that everyone in your company is well and truly in the know.