7 steps to prepare for the General Data Protection Regulation
As of the 25th of May 2018, all businesses in the UK have to abide by the General Data Protection Regulation, known as GDPR. This legislature replaces the current Data Protection Act, and in many ways, it covers the same rules as its earlier counterpart. However, there are some crucial differences which need to be taken into consideration for ensuring complete compliance. Fatmir Hyseni, the Head of Digital at flexible staff platform redwigwam, shares seven steps for business leaders to comply with the General Data Protection Regulation.
1. Internal awareness
Naturally, the only way that people can fully abide by the GDPR is if they are fully informed about what it covers. It is your responsibility to ensure that all of the key decision makers and other staff in their organisation are fully in the loop when it comes to the new legislation. You’ll also want to examine areas where the GDPR might have a serious impact on your operations, too- the earlier you get started on this, the better.
2. Documenting the information you hold
One of the biggest changes under the GDPR is that from now on, businesses will need to fully document the personal data that they hold. As well as making it clear just what you hold, you also need to state where you received it from, and who it may be shared with.
3. Consent
Under the Data Protection Act, you should already have guidelines in place about how you receive consent to store personal data from customers and other individuals. However, it’s best to be on the safe side, and carefully review these practices in light of the new GDPR. You’ll need to ensure that consumers are freely and actively giving their consent, with all the necessary info openly available to them. Consent also needs to be opt-in- that means you can’t just take their silence as implying consent, or have consent boxes automatically ticked. Finally, there needs to be an easy way for consumers to withdraw their consent at any time. While you probably won’t need to scrap your existing practices and start again from the ground up, you will need to take care that you remain in full compliance with the GDPR.
4. Reexamine how you handle data breaches
No matter how secure your systems might be, you still need to ensure that your business is fully prepared to deal with potential data breaches. Right now, only companies within certain industries need to report data breaches to the ICO. Now, though, all businesses will need to do so if the data breach is likely to have an impact on the rights and freedoms of individuals. In practice, this means anything which could lead to a damage to their reputation, financial loss, discrimination, or other such consequences needs to be reported. In addition, if the breach poses a high risk to individuals, then you will also need to inform them directly.
5. Your lawful basis for processing personal data
Currently, there’s no need for businesses to explicitly state their lawful basis for processing personal data. When the GDPR comes into effect, though, that all changes. That’s because the new regulations will give people increased rights to have their data deleted if they wish- so if you process that data based on consent, you’ll need to have a framework in place that allows people to withdraw their consent. You’ll also have to update your privacy notices to state that lawful basis, and document your bases to fit within the GDPR’s “accountability” requirements.
6. How you communicate privacy information
Under the Data Protection Act, your privacy notices have to include your identity, and how you may use any personal data that’s collected. With the GDPR, you’ll need to include a few extra pieces of info in these notices as well. On top of clearly communicating your lawful basis for processing the data, you also need to tell people how long you will store their data for, and inform them that if they think there’s a problem with how their data is being used, they can contact the ICO to lodge a complaint.
7. Subject access requests
One of the main aims of the GDPR is to make it clearer to people just how their data is being used. Naturally, that means some big changes to the current regulations around subject access requests. Currently, companies can charge people to access this information, but now for the most part they will have to provide the info free of charge. In addition, the time you have to comply with a request is being tightened from the current 40-day period to a month. You are still able to deny requests which you believe are excessive or unfounded, but if you choose to do this, you will have to explain this to the individual within that same monthly period.
All this means that you’ll likely receive more subject access requests, so you should really rethink the way that you deal with these requests. For example, how long will it take you to manually reply to each and every one of those requests? It may be more convenient for you to allow individuals to securely access their information online, instead of having to be manually approved.
