The General Data Protection Regulation (GDPR) is here, and it affects every organisation that handles data.
In preparing for GDPR, you should have:
- Reviewed and amended your privacy policies and notices.
- Established a system for managing and correcting the data you share with other organisations.
- Ensured you are able to comply with the new Subject Access obligations.
- Reviewed your legal basis for processing data, and ensured your consent management is compliant.
- Understood the requirement for Privacy Impact Assessments, and data breach reporting, and prepared to use them.
- Put in place policies, procedures and monitoring processes to manage your compliance.
- Considered the need to appoint a suitably qualified Data Protection Officer.
- Trained your organisation so that it understands the new rules and obligations.
If you haven’t completed these steps yet, it’s not too late! Speak to one of our experts today for confidential and no obligation advice.
Privacy policies and notices
Under the GDPR you need to explain your legal basis for processing data and how long you will retain the data for, and tell data subjects they have a right to complain to the Information Commissioners’ Office if they think there is something wrong. The explanations that you give to data subjects must be easy to understand and concise.
Managing and correcting data
You need to know what personal data you hold, where it came from and who you share it with because there is a new obligation to tell other organisations, who you’ve shared data with, about any inaccuracies in the data you shared. This is in addition to the current obligation to ensure the data you hold is accurate.
You will now normally have just a month to comply with a subject access request, and in most circumstances you won’t be able to charge for providing the information. When responding to a subject access request you’ll also need to explain our data retention period and the right to have inaccurate data corrected. When responding you have to provide the data electronically and in a commonly used format where required by the data subject.
Processing and consents
Under GDPR rights of data subjects differ depending on the legal basis for their data being processed. If you rely upon consent for data processing the data subject’s rights are greater. You’ll need a system for understanding and managing the basis on which you process data, and if you rely upon consent GDPR makes it clear that you must be able to demonstrate that consent was given meaning that you will need an effective audit trail. If the data relates to a child you also need their parent or guardian’s consent.
Privacy Impact Assessments and Data Breaches
In high-risk situations, for example in the use of new technology or where processing is likely to significantly affect individuals, you are likely to be required to carry out a Privacy Impact Assessments (PIAs). If this may apply to you you’ll need to put in place a process for implementing them in your organisation, including deciding who will take responsibility for them.
If you suffer a data breach you will be required to notify the Information Commissioners Office and if the breach might expose the affected data subjects to harm or loss you will also need to notify each data subject.
Systems and Controls
The GDPR introduces an accountability principle meaning you will need to be able to show you comply with the GDPR requirements, and have effective policies, procedures and auditing tools to demonstrate that compliance is being met. You should ensure somebody in your organisation has responsibility for this and regularly reviews your systems and controls to ensure that they remain adequate.
Data Protection Officer
Organisations that are public bodies, or whose processing either involves (a) regular and systematic monitoring of data subjects on a large scale, or (b) large scale processing of special categories of data, will be required to appoint a suitably qualified Data Protection Officer.
Everybody in your organisation needs to know and understand how GDPR affects them. If you have a compliance failure you’ll need to be able to show what action you took to prevent it from occurring and that includes making sure that employees were properly trained on how to meet their obligations.
What happens if you get it wrong?
The ICO can impose fines of up to 4% of turnover for non-compliance related to GDPR so make sure your organisation is prepared.
We are experts in regulatory compliance and regulatory technology. Speak to the Scott Robert team today for a no-obligation discussions about how we can help.