With an implementation date of 25 May 2018, the General Data Protection Regulation (GDPR) is set to shake up the way that businesses handle the personal data of their clients, customers, subscribers and users.
The severity of the fines for noncompliance have caused a great deal of media discussion, however, the majority of businesses still find themselves uncertain about how GDPR will affect them and how they should prepare for it.
In the following article, we will explain the basics of GDPR and suggest some practical ways that businesses can get themselves prepared.
What is GDPR?
The General Data Protection Regulation is a regulation by which the European Commission, the European Parliament and the Council of the European Union aim to strengthen the data protection of all individuals within the European Union.
GDPR aims to give citizens control over their personal data under unified regulations across the EU and all foreign companies who process the data of EU citizens.
Why does it matter?
Anyone with knowledge of the Data Protection Act, may already be familiar with many of the central principles of GDPR, however there are some extremely significant changes to the regulation that all businesses should be aware of.
Under GDPR, business will not only be required to adhere to the regulation, but crucially, document how they comply.
This principle of accountability is central to GDPR and leads to perhaps most important thing employers should know about the new regulations; the huge fines for noncompliance.
Below, we have listed three practical ways that businesses of all sizes can start to prepare for GDPR.
1) Ensure staff are aware of the changes
As we highlighted earlier, noncompliance with GDPR is not an option for businesses. Ensuring that all staff who handle the data of your clients or customers are aware of their responsibilities is essential.
Adhering to GDPR could involve the development and implementation of new data handling procedures and policies, so, ensuring your key players are aware at an early stage leaves you with plenty of time to prepare.
2) Review existing privacy policies and procedures
Businesses should review their current privacy policies and put a plan together for making any changes necessary for GDPR.
Privacy notices, should be reviewed to add in the additional information required under GDPR. For example, businesses will need to explain the lawful basis for processing client’s data.
Steps should equally be taken to document what data you have, where it comes from and who it is shared with. By doing this, you can ensure that you are meeting the GDPR requirement of displaying how you comply with the regulations.
3) Data breaches
Businesses should ensure that they have the procedures in place to detect, report and investigate any data breaches that might occur.
GDPR introduces a responsibility on all businesses to report certain types of data breaches to the ICO and in some cases, individuals.
If a breach of the personal data you hold could result in a risk to the rights and freedoms of individuals then you should put procedures in place to detect, report and investigate them immediately. Failure to report a breach when required to do so could lead to a fine, on top of the fine for the breach itself.
May 2018 might seem like a long time away, but with the looming threat of such severe fines, there is no time like the present for getting prepared for GDPR.
Visit the ICO website for more information about the General Data Protection Regulation.