With just four months left to go until GDPR laws come into action, if you’ve not yet thought about how you can be compliant, now is the time. Yesterday, if possible.
There is real urgency for businesses to get compliant. To get started, you’ll need to have a firm understanding of what GDPR is and what it means for your business.
Here are a few important areas you need to tick off your GDPR compliance checklist.
Do you know what GDPR is?
The number one thing to ask yourself is: what is your awareness of GDPR like? GDPR awareness is often thought of as a spectrum. Some business people know it inside and out, while others have a scarce awareness at best.
In essence, GDPR is the result of four years work undertaken by the EU to align data protection regulations with the new, advanced way in which data is used today.
It comes after much deliberation, and the decision that the existing GDPR legislation does not account for today’s technology.
Tougher, more up-to-date laws will succeed existing laws, as laid out in the Data Protection Act 1998. The new GDPR legislations, which comes into action 25 May 2018, will introduce tougher fines for breaches and cases of non-compliance, and will also give individuals more input into what companies can do with their data.
Who is in charge of how we use data?
In other words: do you know who governs your GDPR practices?
It’s vital that you know who oversees this area. We’ll explain it in brief here.
There are governing bodies within each EU member state that will be put in charge of regulating compliance.
These governing bodies will be who you report any data breaches to. You will also be able to turn to them for wider GDPR guidance too.
If you only control and process data from offices based in the United Kingdom, your governing body for GDPR compliance will be the Information Commissioner’s Office.
Elsewhere – from other EU member states – you can find a selection of data authorities who govern each and every EU state here.
Who do we put in charge of how we use data?
Internally, you need to assign this responsibility to what is called a Data Protection Officer (DPO). However, this is only mandatory for public authorities and companies involved in large scale monitoring of individuals.
So, it’s no longer mandatory for the rest of us.
But – and, it’s a big one – we do recommend you designate a DPO to oversee your company’s compliance. You may not understand how tough the new guidelines are, so your business can benefit immensely from having a qualified, professional DPO in charge of compliance.
The good thing is that this part is fairly easy and straightforward. You can choose any current trusted and reliable employee, and train them to become a certified DPO.
Here’s a little more on the kinds of work a DPO will undertake:
- A DPO will be expected to spread awareness of GDPR, and to guide the organisation on its way to being compliant.
- A DPO will also be responsible for monitoring compliance, and keeping an eye on internal data, training staff and being the first port of call for everyone and anyone.
Do you know how to actually get consent under the GDPR?
There is no room for ambiguity here. Consent needs to be explicit, clear and affirmative. At the moment, pre-ticked boxes or opt-outs are standard, but that will no longer be acceptable under the new legislation.
Your company must keep a record of how and when an individual gave consent. Note that the individual has the right to withdraw their consent at any stage of the process. They also have the right to know more about how their information is being used.
Do you know what counts as personal data under GDPR?
This is paramount. As with everything in GDPR, there must be no room for error, misunderstanding or ambiguity.
Article 4 of the legislation states that personal data means any information relating to an identified or identifiable natural person. It also adds:
"An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
One of the biggest changes is that personal data will now include digital identifiers such as IP addresses and mobile device identification.
How will GDPR be affected by Brexit?
So, while the UK is leaving the European Union and it seems the whole nation is at odds with each other, there is minimal cause for concern.
Because Article 50 is not yet triggered, GDPR will take effect long before the legal consequences of Brexit can have any effect.
This means that for the time being, the UK will have to remain compliant.
Quoting one Karen Bradley, Secretary of State for Culture, Media and Sport:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR, and then look later at how best we might be able to help British businesses with data protection while maintaining high levels of protection for members of the public.”
Do you know how to handle data breaches?
It helps by clearly understanding just what a data breach is. Here’s a definition, courtesy of our GDPR governing body the ICO.
“A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data”.
In the event of this, you need to report to your governing body (in the UK, the above ICO). Reporting must happen if there is a high risk to the rights and freedoms of individuals.
An unaddressed breach can pose significant problems for staff and the company as a whole, from discrimination, financial loss and damage to respect to loss of confidentiality and the related economic or social disadvantages that come with that.
These are just a few areas of GDPR compliance you should be thinking about, there are many more. In terms of what you have to do to market responsibly by May 2018, our GDPR Toolkit for Businesses has all you need to know.
The toolkit also contains a comprehensive checklist expanding upon the points we’ve just covered. You’ll be able to tick off each and every area to ensure your business reaches compliancy well before 25th May 2018.
Remember that preparation is key, so get started today!