Implemented from the 25th May 2018, the General Data Protection Regulation (“GDPR”) are intended to standardise data privacy laws across Europe, protecting all EU citizens’ data privacy and reforming how organisations in this region manage data privacy.
With less than a year until GDPR comes into force, now is the time to review your organisations existing processes and ensure they are compliant with the new regulations. Failure to do so can result in significant fines of up to €20m, or 4% of annual turnover.
What Does This Mean For Your Organisation?
GDPR will significantly increase the responsibility and obligation in how organisations collect, use and protect personal data. The new regulation centres on organisations showing transparency in how they use and protect personal data, and if required be able to show accountability for their data processing activities.
What Does Your Organisation Need To Do?
- Be Aware – Review current processes, identifying any problem areas.
- Be Accountable – Review all current personal data held, identifying why it is being held, how it was obtained, why it was originally gathered and how long it is to be retained for?
- Communication – Review data privacy notices and communicate to service providers how their information is being used.
- Personal Privacy Rights – Review existing procedures ensuring they include information on all the rights individuals have, and how you would delete personal data or provide data electronically.
- Access Requests – Create and implement a process on how requests will be responded to within the new timeframe.
- Legal Basis – Explain how personal data is processed in the organisation’s privacy notice including timeframe.
- Customer Consent – Review how your organisation asks, obtains and records consent updating accordingly.
- Children’s Data – When processing data for minors, ensure there are systems in place to verify individual ages and gather consent from guardians.
- Data Breaches – Review and where necessary implement procedures to identify, report and investigate a data breach.
- Data Protection Officers – Consider whether your organisation requires a designated Data Protection Officer and, if so, review if existing approach to data protection compliance will meet the GDPR’s requirements.