Regardless of size, the GDPR (and of course in the UK the DPA 2018) will impact all businesses, especially those processing large amounts of personal dataInformation which relates to an identified or identifiable natural person. or special category (sensitive) data.
The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) is the EU wide regulation that has been enforceable from the 25th May 2018. The Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation. (which has enacted the GDPR into UK law) received Royal Assent on the 22nd May 2018, therefore regardless of Brexit, strict data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. is here to stay.
The Information Commissioners Office (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) who is the regulator for the UK, released the following statistics on the 14th May 2018, showing a 17% increase in reported data breaches compared to the previous quarter. Demonstrating that awareness around data protection is rising and having the correct processes and procedures in place is essential.
How will the new regulations impact your business?
Your data subjects will want (and now have a right) to know what you are doing with their data. The days of a paragraph long privacy policy are gone. You need to ensure that both external (e.g. customers) and internal data subjects (e.g. employees) are fully aware of what your business is doing with their personal data, and who you are passing it onto (known as 3rd party Data Processors).
You will need to know; what categories of data you processA series of actions or steps taken in order to achieve a particular end. and if it includes sensitive (e.g. race, religion, health, criminal) data, where it is stored, who has access to it and why? Keeping in mind that no processing can happen without having a lawful basis (you have 6 to choose from) to process the personal information in the first instance. You will need to understand the data flow and all potential risk areas within your business. This can be achieved by carrying out an Impact Assessment that will also highlight areas where data is retained for longer than required or unlawfully duplicated.
You cannot risk ignoring a data breach. Apart from those fines you’ve heard so much about, 72 hours is not a long time and ensuring you have the correct processes in place is essential. At a minimum, all data facing staff should receive relevant training on data protection and breach reporting to ensure they understand what a breach is, the terminology and internal processes. Subsequent refresher courses and new joiner training is essential to ensure ongoing staff awareness and your ability to demonstrate compliance.
Ensure you have a defined process and documentation in place to process Subject Access Requests within the 30 days and at no cost to the data subjectAn individual who can be identified or is identifiable from data.. It is the data subject’s right, and regardless of the cost to your business, you need to comply. Therefore, ensuring you have a predefined process and a record of all your processing activities is essential.
Under the GDPR the Controller and Processor are both jointly and severally liable, meaning if as the Controller you pass on personal data to a 3rd party processor you need to ensure that the 3rd party processor provides ‘sufficient guarantees’ of compliance and protections of the rights of Data Subjects.
Accountability sits at the core of the GDPR, so ensure you have sufficient internal knowledge to comply in this new era of data protection. If your business lacks the knowledge, time or resource, we can help. Take a look at our Outsourced DPO services, starting from as little as 2 hours a month, The DPO Centre can support you on your compliance journey.