The GDPR (General Data Protection Regulation) is the new legal framework that will come into effect on the 25th of May 2018 and will be directly applicable in all EU (European Union) Member States from that date
What does that mean to you?
Under the plans Data Subject will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. The reliance on default opt-out or pre-selected ‘tick boxes’ to give consent for organisations to collect personal data will no longer be permitted.
Under the proposed law higher fines of up to £17 million or 4% of global turnover can be issued, in cases of the most serious data breaches. It has published 12 steps to help businesses prepare for GDPR.
What to Do?
The way data has been processed before is changing in order to be complaint make sure all the data you requested is in line with criteria set out by the GDPR regulation
- Data Subject has consented to the processing
- The processing is necessary for the performance of a contract (or to be able to enter into a contract)
- It is required for compliance with a legal obligation
- It is necessary to protect the vital interests of the Subject
- It is necessary for carrying out a task in the public interest
- It is necessary for the purposes of a legitimate interest of the Controller
Children’s Data & Online Services:
When online services are collecting data from children,
Where consent is the lawful basis for processing, consent is also required from the child’s guardian. GDPR defines a child as under 16, but likely to be defined as under 13 in UK
New Individuals’ Rights:
Right to be informed must be exercise at the point of collection of data or within one month if data supplied from a third-party, especially articles 13 & 14 list what needs to be communicated.
Every individual has a Right to Erasure, when data is no longer needed or has been processed unlawfully
Right to data Portability, when data has been provided by the Data Subject (via consent or performance of a contract) and processing is automated
Do You Use Third party ‘OR’ Systems?
If yes? Carry out GDPR due diligence on your third party processors
- How they enable you to be compliant
- Any international data flow involved?
- Make sure your contracts meet GDPR requirements (Article 28)
- Remember, processing includes storage so you’ll be using third-party processors if you store your data in Dropbox, Google Docs, in a CRM (e.g. Hubspot, Salesforce) & etc.
Who Requires DPOs (Data Protection Officers)?
If you are one of the below you need to appoint a designated DPO who’s duties and conditions within an organisation are set out by regulation;
- Required by public bodies…
- Or where “the core activities of the controller or the processor consist of processing operations which…require regular and systematic monitoring of data subjects on a large scale”
Are You Ready?
Ask yourself if it applies to you? Before it gets too late…
- A single point of responsibility within your organisation i.e. nominate a responsible individual
- Audit your data, systems and policies to assess risk areas
- Provide internal guidance and contact points
- Train staff
- Make sure you keep up to date, and
- Least but not the last you keep your compliance up