The General Data Protection Regulations (GDPR) comes into force on 25 May 2018.
The requirements of the GDPR are being incorporated into the new Data Protection Bill which is currently going through Parliament.
The purpose of this news post is to provide information, advice and guidance on what GDPR means for businesses and what you need to do to implement the new regulations.
GDPR builds on the provisions of the Data Protection Act 1988. If, as a business, you’re already complying with the current legislation then your existing approach should continue and be a starting point to build upon to address the main areas where the GDPR differs from existing data protection legislation, some of which are:
- the principle of accountability;
- lawful basis for processing personal data, including consent;
- enhanced data security;
- greater rights for individuals, including the right of erasure and access to data.
The principle of accountability
This principle requires controllers of personal data to be responsible for, and able to demonstrate, compliance with the new regulations.
Ultimately this means that you will need to review all of the existing data protection policies and procedures for your business to ensure they comply with the new regulations. This includes the procedures to detect, report and investigate data breaches.
As part of this review, all of your employees should be trained and aware of how to deal with personal data to demonstrate their understanding of the new requirements.
The Information Commissioner’s Office (ICO) has produced a 12 step guide to preparation which you might find helpful. The link is given later in this news post.
Lawful basis for processing personal data, including consent.
The key difference in legislation here is the need to inform data subjects (deemed to be a living individual whom personal data relates to) of the legal reason you are holding and processing their personal data.
To meet the new GDPR requirements you must obtain consent for holding and processing any personal data where you do not have a lawful right to do so, for example, where you use the data for marketing purposes only. Consent must be freely given by the data subject and be explicit, affirmative, finite and documented. A tick box to opt out of receiving marketing information is simply no longer sufficient.
Data subjects must also be made aware that they can withdraw their consent at any time or they can complain to the ICO if they think their data is being handled incorrectly.
Enhanced data security
The GDPR regulations state ‘The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
Currently, the flow of data between the businesses and clients we work with (you) and us, is by a variety of methods such as email, post, delivered by hand, cd discs, pen drives and memory sticks.
We all need to ensure that whatever the method of receiving and returning data, we have appropriate security measures in place to protect this.
The David Allen Group of businesses recognise the importance of data security and we already have many processes in place to safeguard data. To further support these processes we launched our ‘VC Portal’ in 2017, which is a secure and audited document distribution and management system that allows us to share documents and information with you, to ensure security of the personal data contained within. If you haven’t already signed up to our portal, or would like to learn more click here.
We will continue to encourage all businesses and clients we work with to use our portal going forward, however where this is not possible, we will be considering other methods of protecting data, which we will discuss with individual clients according to their needs.
Greater rights for individuals
Under GDPR, individual rights have been strengthened to include:
- greater rights to request access to data
- right to erasure (right to be forgotten)
- right to have data rectified within one month if inaccurate or incorrect
If a data subject exercises their right to be forgotten and there is no lawful basis to continue to hold and process their data, then this must be deleted from all databases and files.
In addition to this, subject access requests will, in future, in most cases be free and must be provided within 30 days of being requested, instead of the current 40 days.
The GDPR launch date of 25 May 2018 is fast approaching. While businesses do not have to be fully compliant by this date, it is advisable to be in a position where you can demonstrate that you are taking action to comply with the new regulations. This means documenting the steps you have and are taking, while giving serious thought as to how you are going to ensure that any data you hold is secure.
We will be updating our engagement letters to include the new requirements and will inform you all of the changes before 25 May 2018.
This is a brief overview of the key areas, however there is a whole host of additional information relating to GDPR which can be found on the ICO website. Click here for more details: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
If you require any further information, please contact Deirdre Burnet on 01228 711888 or email firstname.lastname@example.org
Posted: February 27th, 2018