GDPR - What You Need To Know!
Overview of the GDPR
The General Data Protection Regulation (GDPR) is a new regulation concerning the way data is handled and stored within the EU. The regulations will apply to any company handling personal data pertaining to EU citizens, regardless of whether or not they are based within the EU. The GDPR aims to harmonise data protection laws across Europe, and to give citizens more control over what data companies store about them by allowing them to withdraw their consent at any time.
The regulation will be enforced from 25th May 2018 onwards, and businesses that are not compliant by this time will face heavy fines.
Perpetuum GDPR Consultancy and Training services
We can offer a range of services to support an organisation prepare for, and be ready for the introduction of GDPR in May 2018. These include;
- Gap Analysis – to assist in understanding where the organisation currently sits with GDPR compliance and production of a Road-Map to compliance
- GDPR Data Flow Audit – helps you understand what personal data you hold, how it is shared and map the processes used
- Data Protection Impact Assessment – understand the risks being held with the process and implement a mitigation plan to reduce these
- Project Management to support the implementation of GDPR policies
- GDPR Training and Awareness – certified instructors to support staff and management understand how the GDPR will affect them and their roles to ensure compliance. These will be specifically tailored to fit the industry of the client
Be Ready For The Introduction of GDPR
GDPR Compliance Checklist
The ICO has released a checklist of twelve points to guide businesses in making preparations for the new regulations. The following steps outline the type of issues businesses should be addressing in order to become compliant.
- Awareness – Key people within organisations should be made aware of the change to the law and identify areas of their current approach which may cause compliance problems.
- Holding Information – Any personal data a firm holds about an EU citizen must be documented: what data is being held, where it came from, and who it is shared with.
- Privacy Information – In addition to privacy policies, under the GDPR, organisations must explain their lawful basis for processing information, their data retention periods, and inform individuals that they can complain to the ICO if there is a problem with how their data is being handled
- Individuals’ Rights – Companies should check their procedures to ensure they cover all the rights individuals have, including how personal data will be deleted under the right to erasure.
- Subject Access Requests – Firms must update their procedures and plan how individuals’ requests made under the rights set out by the ICO will be handled.
- Lawful basis for processing personal data – Organisations should identify the lawful basis for their processing activity, document it, and explain it in their privacy notice.
- Consent – Firms should review how they seek, record, and manage consent and whether they need to make any changes to meet the GDPR standard.
- Children – Businesses must consider whether they need to put additional protocols in place to verify individuals’ ages, and how to obtain parental consent for their data to be processed.
- Data breaches – Companies should make sure they have procedures in place to detect, report and investigate a personal data breach. Under the GDPR, organisations have a duty to report certain types of data breach to the ICO.
- Data Protection by Design and Data Protection Impact Assessments – The GDPR makes privacy by design a legal requirement, and data protection impact assessments (DPIA) mandatory in certain circumstances. Companies should plan for situations in which it is necessary to conduct a DPIA.
- Data Protection Officers – Certain organisations must formally designate a data protection officer who will take responsibility for data protection compliance.
- International – Businesses operating in more than one EU member state should determine and document their lead data protection supervisory authority. The lead authority is the supervisory authority of the state in which the firm’s central administration is based.
Summary of the GDPR
The UK government have confirmed that GDPR will apply despite the other outcomes of Brexit negotiations. The key points underpinning the GDPR are better control for individuals over what data is stored about them, and the modernised and unified laws to make it simpler for organisations to do business across the EU. The regulations will be enforceable from 25th May 2018, and the ICO advises that most organisations take 12 – 18 months to prepare, so it is imperative that firms take steps toward compliance to avoid a potentially devastating fine.
The new General Data Protection Regulations have many similarities with the 1998 Data Protection. There are, however, some key enhancements that warrant detailed examination in order to maintain compliance under the new regulations. To explain the path to compliance,...
New EU data regulation laws have been finalised and will be implemented in May 2018. The change highlights the government’s initiative to strengthen data protection policy in order to mitigate the threats of doing business in the cyber space. You’re probably wondering...