A new data privacy law, the General Data Protection Regulation (GDPR), comes into force in May 2018, overhauling current data protection legislation. Here, we explain why all businesses need to take notice.
The General Data Protection Regulation (GDPR) increases consumer rights over the way their data is collected, maintained and shared. It must be met by anyone handling personal data of EU citizens, and no business is exempt.
Personal data refers to ‘anything, from a name, a home address, a photo, an email address, bank details, medical information or a computer’s IP address’.
If you handle EU citizen data, you will need to show compliance to the new regulation, ideally by having someone in your business responsible for data protection and ensuring you gain a customer’s consent before using their data (using the ‘opt in’ rather than current ‘opt out’ mechanism).
Given the obligation to notify within such a reduced time frame, and failure to comply with GDPR resulting in a hefty fine – up to 4% of global annual turnover up to a maximum of €20m – businesses need to think carefully about how they hold and manage personal data.
You will also need to have an action plan in case of a data breach. This will involve notifying customers and reporting the incident to the Information Commissioner’s Office (ICO) within 72 hours. This is a short amount of time, given that you will need to both determine the extent of the problem and communicate with affected customers within this time frame.
Your preparation for the impact of GDPR should be underway; whatever the size of your business. Here are 12 steps to help you get ready for one of the biggest changes in data regulation for many years.
1. Awareness – Ensure key people and decision makers are aware of the impact this is likely to have.
2. Document the information you should hold, where it came from and how you used it. Create an information audit if you need to.
3. Communicate your privacy notices and update if necessary in readiness for the implementation of GDPR.
4. Check your procedures to cover the rights of individual’s data, including how you delete records and how you transmit data.
5. Plan who has access to data records and who has the ability to amend and update records when required. This ensures a transparent audit trail of who is using the data and for what purpose.
6. Confirm the legal basis you have for using the data you hold and document it.
7. Review the way you obtain data with particular regards to obtaining and recording consent to use it from the individual.
8. Plan how you verify ages of individuals when data gathering to ensure if dealing with minors parental/ guardian consent is obtained and recorded.
9. Ensure you have procedures in place to detect, investigate, and report a personal data breach.
10. Use the guidance of Privacy Impact Assessments to understand how to implement them within your business.
11. Designate a Data Protection Officer, if necessary. This must be a responsible person as the role should sit within your company governance arrangements.
12. If you deal internationally, you will need to determine which data protection supervisory authority you come under.
Obviously, full compliance with the new regulation will help mitigate your risks and appear favourably to underwriters. Our advice to businesses is act now – ensure you are ready to comply with GDPR when it comes into force in 2018.