Tigerfish’s guide to GDPR
Sit down in any office building for a day and there is no doubt you will come across GDPR in some way shape or form; in conversation, in an industry magazine or scattered across staff noticeboards, there simply is no hiding from it. So what is it, why is it so important and how can you prepare for it in your business?
GDPR stands for General Data Protection Regulation and has been sanctioned by the European Union to control and manage the everchanging landscape of the use of personal data. The new legislation sets that anyone who handles data on EU citizens is affected, regardless of whether they are located in the EU or not – the first global protection law. It came into effect in April 2016, but expects all business to be compliant by 25th May 2017 or face charges of up to £20m or 4% of annual turnover.
Personal data is defined as any information relating to a person where they can be identified directly or indirectly. Examples of this include:
- Name and address
- Photograph ID
- Social Media profiles
- Medical information
- Bank details
- IP addresses
In order to be compliant with GDPR, businesses that possess this personal data must have a ‘legitimate reason’ to do so. Companies will also have to be transparent in the way they obtain data, and if asked to do so, explain the exact process of how it was gathered – bringing an end to the vague tick box method used by most organisations when accepting Terms and Conditions as well as the re-selling of personal data gathered using this type of scheme.
Similarly, the regulation also maintains that companies who hold personal data, should only do so for the period of time of which it is absolutely necessary and be used only for its original purpose.
The ICO – The UK’s independent authority set up to uphold information rights in the public interests has set out a 12 step plan for businesses to prepare for GDPR.
- Awareness – Ensure all key decision makers within your organisation are aware of GDPR and its implications.
- Information held – Document what personal data is held, where it came from and who it’s shared with for potential auditing purposes.
- Communicating Privacy Information – Review current privacy practices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individual rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically.
- Subject access requests – Update your procedures and plan how you will handle request.
- Lawful basis for processing personal data – Identify the lawful basis for processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent – Review how you seek, record and manage consent and whether changes need to be made. Also refresh existing consents if they don’t meet new standards.
- Children – Start thinking about whether you need to implement systems to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Data breaches – Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments – Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from Article 29 Working Party and find a way to implement them into your organisation.
- Data Protection Officers – Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisations structure and governance arrangements. Should you appoint a DPO? (Data Protection Officer)
- International – If your organisation operates in more than one EU member state you should determine your lead data protection supervisory authority. Article 29 Working Party can assist you with this.
For the ICO’s full 12 step guide to GDPR preparation, click here.