Bluestep’s responsibilities as a supplier of websites, software and other online platforms - often handling sensitive data - requires us to stay on the ball with changes and updates in regulations and procedures.
On the 25th May 2018, one of the most important changes in data privacy regulations comes into place.
The General Data Protection Regulation (GDPR) replaces the existing Data Protection Act (DPA) and introduces changes and enhancements to current policies that will strengthen and unify data protection, whilst protecting individuals residing in the EU. Its main focuses are that of transparency and individuals’ rights. Are you prepared?
How important is compliance?
While ensuring compliance across all areas of your organisation may at first appear timely and inefficient, it will save you from detrimental implications in the future. Failure to comply to new procedures and updates can result in fines of up to €20million or up to 4% of annual global turnover which could be financially devastating for some organisations.
Who does it apply to?
If your organisation and its day-to-day responsibilities involves the handling or protection of data, you should make sure you’re educated on the GDPR and ready for its commencement.
What exactly constitutes as personal data?
Any information relating to an identified or identifiable individual. People can be identified through a number of identification elements including name, occupation, address, or physical characteristic.
Aren’t we leaving the EU? Why do we still need to comply to EU laws?
Yes, Brexit is very much still happening. But the government decided that the UK’s decision to leave the EU will not affect the GDPR’s commencement in May next year.
How do we prepare?
If you’re are already following existing approaches within the DPA, transition should not be too difficult…
Ensure all employees, key decision-makers, and stakeholders are aware of the GDPR and its implications. For larger companies, there could be effects on budgetary, IT, personnel, governance and communications. All departments should be provided with the knowledge to handle the changes efficiently.
All information you have should be documented. To make things simpler, you should consider organising an information audit. The GDPR requires you to know where the information came from and exactly who you share it with.
We recommend an extensive review of all existing procedures to ensure they comply with the GDPRs privacy notices and individuals’ rights. Individuals’ rights include:
- – The right to be informed
- – The right of access
- – The right to rectification
- – The right to erasure a.k.a. ‘The right to be forgotten’
- – The right to restrict processing
- – The right to data
If, for any reason, any of the information you hold is inaccurate, it’s your responsibility to inform any organisations you have shared this with so that their records can be updated accordingly.
It’s also your responsibility to review all consent procedures and ensure these adhere to the new GDPR standard. The falls closely in line with individuals’ rights so is high up on the list of priorities for you organisation. Read the detailed guidance to help review your current consent procedures.
Similarly, parental/guardian consent should be obtained if processing activity involves data belonging to those under the age of 13. Remember, the GDPR requires you to maintain records of all processing activity.
The introduction of stricter processes could require your organisation to designate new responsibilities to data protection officers – and if you don’t already have them, hire them. You should consider how these will sit within your existing company hierarchy and consider the impact of these additional roles.