From 25th May 2018, the new General Data Protection Regulation (GDPR) will come into force. It will affect any businesses which hold personal data on customers or employees based within the EU. The fines for non-compliance with the new law are up to €20m or 4% of your global annual turnover. Although that sounds scary, don’t panic! The information in this blog will help you in your preparations for GDPR compliance.
A good place to start is to document the following:
• What data you hold
• The reason why you hold it
• Who is responsible for it
• Where and how it is stored
Think about the data you wouldn’t want to be disclosed. The use of encryption will reduce the risk of data breaches. If the proper standards of encryption are used, it will for the most part render the data useless to an attacker.
You will need to review your current privacy notices. With GDPR, when obtaining personal data you must give the following:
• Your identity
• Your intended use of their information
• Your lawful basis for processing the information
• Your data retention periods
• The individual has the right to complain to the ICO if they think there is a problem with how you are handling their data
All of this is usually expressed in a privacy notice.
Business-to-business emails should be targeted toweards a person’s role, not at the specific person.
Business-to-consumer emails however should be targeted to the individual providing you have consent prior to contacting them.
You musn’t email people who have been asked not to be contacted, unsubscribed or opted-out in some way.
Consent to process data must meet the GDPR standards of being ‘specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn’.
Consent cannot be assumed from silence.
You will have a month to comply with access requests as opposed to the current 40 days.
For most requests, you cannot charge for complying with the request unless it is thought to be excessive.
If you refuse a request, you must tell the individual why and that they have the right to complain.
You should plan how you are going to deal with access requests and the right to be forgtten within the timescale.
You will only need to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals; for example damage to reputation, financial loss or discrimination. In high risk situations, those directly involved must also be notified.
To reduce the impact of breaches, as well as the use of encryption, you should be prepared. Rehearse and have contingency plans in place for a worst case scenario.
Most importantly, inform everyone in your business of your new data protection policy.
Data Protection Officers
Your business needs a designated person to take responsibility for data protection compliance. They must have the knowledge, support and authority to carry out their role.