What is the GDPR?
It’s as good a place to start as any. GDPR, or the General Data Protection Regulation is a new set of EU regulations set to come into force, as a replacement to the existing Data Protection Act.
Is it already upon us?
No. The regulations don’t come into force until May 25th 2018. But don’t do like you used to do with your Geography homework and leave it until the night before. There’s plenty you may need to check or put in place. So now would be a good time to get started.
Who Does It Concern?
It’s the rules and regulations for personal data protection, and every organisation within the EU must comply.
Who Needs to Know About it?
Everyone in the organisation, or company. Business owners need to ensure that they have given their employees clear guidance on the regulations and procedures that need to be in place for due diligence. Saying ‘I didn’t know’ is not going to be a valid excuse.
The Key Requirements
All privacy notices that you issue need to be audited, and amended so that they comply with new guidelines.
Any personal data and information held needs to be accurate and up-to-date. Any organisation who shares data with another organisation, must make clear any changes made to the information contained within. If changes to data are made, you need to record these changes, to keep an accurate record/trail of the amendments.
Individuals are set to have much greater access to any of the personal data that an organisation stores on them. They will legally be allowed to view this data in entirety, as well as making it clear on the levels of profiling or direct marketing they will permit. Individuals can also request deletion of all data contained upon them, with organisation procedures and processes altered to ensure this is adhered to post-GDPR enforcement.
Ensure that your policies are in full compliance with new GDPR laws on granting clear consent for individuals to access their data
GDPR will enforce ever stricter rules upon organisations to ensure that they are taking all reasonable measures to guard against data theft, loss, or other breach. Clear evidence must be shown that you have taken diligent measures in regard to security software, physical security, and other aspects such as disaster recovery plans.
And if you do suffer a breach, then it is your duty to let the Information Commissioner’s Office (ICO) know at the earliest possible moment.
Your terms of service need to reflect the seriousness that you take your obligations to security.
Organisations will be required to have an appointed Data Protection Officer to oversee all obligations and responsibilities. 3rd party or external officers are permitted, subject to approval.
For further details, please visit ico.org.uk