What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation is a regulation that is being implemented in to UK law in May 2018.
The European Parliament, European Council and the European Commission are enforcing the regulation to strengthen and unify data protection for individuals.
Why is the General Data Protection Regulation (GDPR) being introduced?
The main objective is to give individuals control of their personal data and to simplify the regulatory environment for international business by unifying the regulation.
The GDPR replaces the 1995 Data Protection Directive.
When will it apply?
The regulation becomes compulsory on 25 May 2018.
Who does the Regulation apply to?
The GDPR applies to all businesses operating within the UK and the EU. It is considerably more stringent than previous legislation.
How to prepare
If you don’t have a handle on your data, complying with these new requirements won’t be easy. With less than two years before compliance becomes compulsory, it’s time to start preparing and getting your data in order now.
Here are some tips to help you get data ready…
1 – How is your data currently held?
As a starting point, take a look at how you currently hold and manage your data. Be it personal information on customers, clients or other contacts.
Do you understand how this data is held and who can access it? Do you know whether or not it is shared with other companies?
Understanding this will be vital in ensuring you make the necessary changes to comply with the new regulation. Assign a data owner within your business now and build in regular reviews to delete old and unnecessary data.
2 – Opting in vs opting out
Under the GDPR, people will generally need to ‘opt in’ rather than ‘opt out’ of receiving information from you or third parties. If you currently invite customers to tick a box (opt out) if they do not want to receive further information or have an online form that includes pre-ticked boxes, which need to be unticked, this will need to change. Under the regs, this will no longer be possible. Take a look at your current processes and start thinking about how you will manage this going forward.
3 – Managing data breaches
Under the new regulation, there will be stricter terms on how data breaches are dealt with. If sensitive or confidential data is accessed by an unauthorised person, it must be reported to the Government body responsible for data protection (the ICO) as well as to the individual affected. Put in place systems and processes for how this will be managed.
4 – Data access
The new regulations allow individuals the right to access their own data, free and within a shorter timescale than is currently permitted. It also allows people to exercise more rights around their data, including more rights around an individual’s data being forgotten. Review how you currently manage data access requests and consider how you will be able to handle them more quickly and efficiently in the future.
5 – Business buy in and data management
To ensure success in meeting the new requirements, everyone within the business will need to understand the changes and the role they play. If you don’t have a data protection manager currently, it would be prudent to assign this role within your business now as when the law is enforced, it may become a requirement that you either have someone in this role or that your data is being managed externally – depending on the size of your business.
The finer details of the regulations are yet to be confirmed, however we know it is coming and it cannot be ignored. Start by raising awareness within your business now amongst the key people and consider how you will roll this out company wide.