By mid 2018, the General Data Protection Regulation (GDPR) will require any organisation using data of Data Subjects in the EU to more securely collect, store and use personal information. This not only includes businesses but also local government, hospitals, schools and charities. Pretty much everyone!
Failure to comply with the law could bring fines of up to 4% of global turnover…not revenue…turnover.
One of the biggest changes in the law is that the controller (and processor) of the data must be “Accountable” for how it is treated. This means you need fully documented evidence to prove that you have done everything in your powers to keep the data protected.
The process of compliance isn’t a quick fix, and you should consider starting your compliance program now rather than panicking later in the year.
So to reduce that worry, here is a checklist of some of the things you should do now:-
- Create Board awareness
- Create staff awareness – All employees regardless of their division or job role should be alerted to the new laws
- Data Protection Officer appointment – For larger companies this should not be a Board member but someone who does have direct access to the board. Smaller firms should consider outsourcing.
- Information identification- You must make an inventory of all personal data you hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
- Update Privacy Notices – This is vital on web pages where personal data is collected.
- Update Data Protection Policies – Revue that all internal policies are compliant.
- Update Information Sharing Agreements – Check contracts with all 3rd parties. Your suppliers should adhere to the policies you implement.
- Approved Data Privacy Impact Assessments – This is a legal requirement on all new data processing systems but is also a useful starting block to ensure there are no weak links in your data network.
- Have a plan to report breaches – Organisations must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point. You must report it within 72 hours.
- Establishment of Data Subject Rights Management protocols – Subject Access Requests must now be addressed within 30 days. Ensure that staff understand the urgency needed and how the requests can be answered efficiently.
- Privacy by Design implemented into the project methodology – Ensure any new developments have the correct mechanisms in place. Eg allow for consent to be given and rescinded.
This is not something that is going to go away. Everyone must be compliant by May 2018 or face huge fines. Now is the time to act.
For more information contact Chorus Advisers on 0845 8671263 or email firstname.lastname@example.org or
Nicholls Law on 01702 804134, email email@example.com.