Written by Jonathan Hunt
15 Aug, 2019
Digital Minister Matt Hancock has announced that the UK will be implementing a new Data Protection Bill that will comply with the EU’s General Data Protection Regulation (GDPR). With the introduction of the GDPR just under 8 months away, you may be worried as to whether your Organisation will be in a position to comply. In fact, Gartner predicts that over 50% of Companies affected by the GDPR will not be fully compliant by the end of 2018. However, by taking the correct steps sooner rather than later, you can prepare your Company for the Data Protection Bill and avoid the heavy punishments for not complying. In this post, we’ll explain what the GDPR is, why it’s significant and guide you through the steps you can take now to help you prepare for its introduction.
The General Data Protection Regulation (GDPR) is an EU legislation which sets out measures an Organisation must take in order to protect personal data. The GDPR will enable individuals to control what happens with their personal data, allowing them to decide who has the data, what they can do with it and when it’s deleted. The GDPR states that you must keep records of where you acquired all personal data from and how you plan to use it; you are also required to prove that you had consent to obtain the data and demonstrate what you are doing to protect it. The GDPR will apply from the 25th May 2018, with the UK’S GDPR compliant Data Protection Bill replacing the existing Data Protection Act (DPA).
Rules have been harmonised to create a consistent regulation for countries within the EU, with one set of laws applying across all 28 member states. By complying with the GDPR, the UK hopes to ensure the secure free exchange of data with the EU post Brexit. A number of the DPA’s main principles will feature in the new act so if you are abiding by the current law then this is a good base to build upon. However, technology has advanced considerably since the DPA was created back in 1998; this, alongside the increasing focus on data security and privacy means that many of the existing concepts are now obsolete. There are consequently several significant changes to the legislation that you need to plan for accordingly.
Make key people aware of the legislation One of the first steps you can take is simply making sure key people within your organisation are fully aware of the impact the GDPR will have on your Business. Ensuring that everyone at the top of the Company is on board with the changes is a vital step towards compliance. Be aware of changes to individuals’ rights One of the main objectives of the GDPR is to strengthen the rights of data subjects. It’s important that your procedures cover the rights that individuals have, which are: the right to be informed, the right of subject access, the right to rectification, the right to erase (‘to be forgotten’), the right to resist, the right to data portability and the right to object. Document what personal data you currently hold and where you obtained it from The GDPR states that you must maintain records of your processing activities. In order to comply, you will need to establish what personal data you currently hold, documenting where you obtained it from and who you have shared the information with. You will need to prove that the data was freely given to you and demonstrate that you have a legitimate interest for holding the data. You also need to document how long you have held the data for; if you are unsure where you got the data from or how long you have held it for, you will be unable to prove you have a legal basis for holding the data. Carrying out this process will also help to demonstrate that you have effective policies and procedures in place which is an important part of the accountability principle of the GDPR. Individuals are entitled to carry out Subject Access Requests where you are required to share the information you have about them so it’s important that you have easy access to it. Set up processes to communicate privacy information Under the DPA, in order to collect data you are required to tell people who you are and what you plan to do with their information. In addition to this, the GDPR states that you must provide a clear and concise explanation of your lawful basis for processing the data as well as your retention periods. You are also obliged to make it clear that individuals can make a complaint to the Information Commissioner’s Office (ICO) if they believe you’re using their data in an inappropriate manner. A useful way of relaying this information is by using a privacy notice. Review procedures for seeking consent Next you need to review your procedures for obtaining data and in particular how you seek consent. The GDPR states that consent must be freely given, specific, auditable and withdrawable. It’s important to have a clear and specific process for attaining and documenting consent. You also need to make it easy for people to withdraw their consent and ‘opt out’ should they wish. It’s vital that you have procedures in place to be able to delete personal data if people withdraw consent as individuals have ‘the right to erasure’ under the GDPR. Designate someone within your organisation to deal with Data Protection It’s recommended that someone within your Company is designated to deal with data protection compliance. If your Organisation is a public authority or you carry out large scale processing of data such health records or information on criminals then you are required to appoint a Data Protection Officer. Notify serious data breaches to the ICO You have to notify a security breach to the ICO if it is likely to cause significant economic or social disadvantage to an individual. Failure to report these types of breaches can result in heavy fines. It’s important that you have systems in place to detect and protect against data breaches.
If you haven’t already done so, it’s time to take steps towards protecting against data breaches to ensure compliance with the Data protection Bill . It’s well known that hacking and viruses are major causes of data loss, but how can you actually prevent cyber threats? The best way to protect yourself is by having a robust network security plan in place. At Venom IT, we specialise in cyber security so we can put in place various measures to guarantee the protection of your data and help you to comply with the GDPR and the Data Protection Bill. We are ISO9001 and Cyber Essentials certified, meaning you can be 100% certain of both the security and quality of the systems we will put in place to protect you.
Failure to comply with the GDPR could see your Company either fined up to 4% of its annual turnover or £17 million, depending on which figure is higher. On top of this, the damage it would cause to your reputation could be catastrophic with potential customers unable to trust you. With this in mind, it’s vital that you start preparing for the changes now. Taking the correct measures now presents an ideal opportunity to demonstrate to your customers that they can trust you with their data. For more information about what we can do to help you comply with the GDPR and the Data Protection Bill, Contact Us now. A full list of the procedures you need to follow can be found on the ICO website.