The EU General Data Protection Regulation (GDPR) came into effect at the end of last year and will be enforced from 25th May 2018. This law clearly makes any business that deals with European citizens’ data, fully accountable. This regulation is quite categorical.
So, despite Brexit, if you handle EU personal data then you must comply. Whilst not dissimilar to the Data Protection Act and the European Electronic Communications Directive, there are new elements and definitions and so there remain some few grey areas surrounding how exactly it might work in practice and the Data Commissioner’s Office is working to constantly update their guidance notes.
Its key elements are the update in definition of personal data (scope also now includes B2B data), clearer requirements on Data Controllers, that each data subject (i.e. person whose data is being collected) must provide ‘explicit consent’ for organisations to store their data, they have a ‘right to be forgotten’ and organisations have an obligation to show where this data is stored. In addition, they must react to a request received from a data subject for access to data and provide a complete record of the data being held within 30 days. Any breaches must be reported within 72 hours. Depending on size they may need to appoint one (or several) Data Protection Officer(s).
A major consideration (and reason to focus on GDPR) are the new cash penalties for non-compliance which can be severe.
A documented strategy that comprises investigating your current data and policies, assessing them, determining how they might be improved and establishing controls to monitor and drive processes is required to minimise the risk for the organisation under the new GDPR.
In addition, all actions taken regarding privacy, minimising data, improving access for subjects, deletions and data rules should be documented along with the reasons why these actions have been taken, to provide a valid audit trail to the decisions, to support your compliance record.
You are urged to act NOW. May 2018 is not so far away, given there are policies to be implemented, risks identified, processes revised, data appraised and improved and staff trained.
For further views on GDPR compliance or if you require assistance with the practicalities associated with it contact Michael Collins on 07958 648014 or email firstname.lastname@example.org
NOTE: This blog posting is for general information purposes only and is not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice. Each organisation should take its own decisions and source its own advice on GDPR compliance.