All businesses big and small will need to comply with the new regulations concerning data that come into effect on 25th May 2018. If organisations are found to be in breach of this new legislation they could face a fine up to €20million or 4% of their global turnover, whichever is the greater.
We have a number of workshops that can help businesses prepare for GDPR.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Commission intends to strengthen and unify data protection for all individuals within the European Union (EU). The GDPR aims primarily to give control back to citizens and residents over their personal data being held by organisations. When the GDPR takes effect, it will replace the data protection directive of 1995.
The GDPR was adopted on 27 April 2016 and becomes enforceable from 25 May 2018 after a two-year transition period. Unlike a directive, it does not require national governments to pass any enabling legislation, and is there directly binding and applicable.
The Information Commissioner’s Office recommends the following 12 steps in order to prepare your business:
- Awareness – You should make sure that decision makers and key people in the organisation are aware of the change.
- Information you hold – Document what personal data you hold, where it came from and who you share it with.
- Communicate privacy information – you should review your current privacy notices.
- Individuals Rights – You should check your procedures to ensure they cover all the rights that individuals have.
- Subject access requests – Ensure your procedures enable you to handle requests from individuals.
- Consent – You should review how you seek, record and manage consent.
- Children – Identify if any of your processing involves children under 13 years old and have the proper processes in place to deal with that.
- Data breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments – work out if your organisation needs to implement these.
- Data Protection Officer – You should designate someone to take responsibility for data protection compliance within your organisation.
- International – If your organisation operates in more the one EU country you should determine your lead data protection supervisory authority.