Regardless of size, the GDPR (and of course in the UK the DPA 2018) will impact all businesses, especially those processing large amounts of personal data or special category (sensitive) data.
The General Data Protection Regulation (GDPR) is the EU wide regulation that has been enforceable from the 25th May 2018. The Data Protection Act 2018 (which has enacted the GDPR into UK law) received Royal Assent on the 22nd May 2018, therefore regardless of Brexit, strict data protection law is here to stay.
The Information Commissioners Office (ICO) who is the regulator for the UK, released the following statistics on the 14th May 2018, showing a 17% increase in reported data breaches compared to the previous quarter. Demonstrating that awareness around data protection is rising and having the correct processes and procedures in place is essential.
How will the new regulations impact your business?
You will need to know; what categories of data you process and if it includes sensitive (e.g. race, religion, health, criminal) data, Where it is stored, who has access to it and why? Keeping in mind that no processing can happen without having a lawful basis (you have 6 to choose from) to process the personal information in the first instance. You will need to understand the data flow and all potential risk areas within your business. This can be achieved by carrying out an Impact Assessment that will also highlight areas where data is retained for longer than required or unlawfully duplicated.
You cannot risk ignoring a data breach. Apart from those fines you’ve heard so much about, 72 hours is not a long time and ensuring you have the correct processes in place is essential. At a minimum, all data facing staff should receive relevant training on data protection and breach reporting to ensure they understand what a breach is, the terminology and internal processes. Subsequent refresher courses and new joiner training is essential to ensure ongoing staff awareness and your ability to demonstrate compliance.
Ensure you have a defined process and documentation in place to process Subject Access Requests within the 30 days and at no cost to the data subject. It is the data subject’s right, and regardless of the cost to your business, you need to comply. Therefore, ensuring you have a predefined process and a record of all your processing activities is essential.
Under the GDPR the Controller and Processor are both jointly and severally liable, meaning if as the Controller you pass on personal data to a 3rd party processor you need to ensure that the 3rd party processor provides ‘sufficient guarantees’ of compliance and protections of the rights of Data Subjects.
Accountability sits at the core of the GDPR, so ensure you have sufficient internal knowledge to comply in this new era of data protection. If your business lacks the knowledge, time or resource, we can help. Take a look at our Outsourced DPO services, starting from as little as 2 hours a month, The DPO Centre can support you on your compliance journey.