GDPR – what you need to know

In response to the rise of data breaches and cyber-attacks, the EU’s GDPR (General Data Protection Regulation) will come into force on 25th May 2018. It’s designed to protect an individual’s personal data and make organisations accountable for the way they handle information.

Below we have compiled the key information you need to know, including a quick questionnaire to see if you are compliant. Consider how GDPR will impact your organisation. We can provide consultation and support to help you become compliant – just complete the enquiry form and we will be in touch.

Key facts:

  • GDPR applies to all organisations (both public and private) that process personal data of EU citizens
  • You will need to record how, and when, an individual gave consent for their details to be used
  • You will need to respond quickly to consumers requests for data you hold on them
  • You will need to report any data breach within 72 hours
  • You could face heavy fines of up to 20m Euros or 4% of turnover for compliance breaches
  • GDPR Overview
  • Take the test
  • 12 Steps to take now
  • Key Issues
  • Enquire

GDPR Overview

Personal privacy

Individuals have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Erase their personal data
  • Object to processing of their personal data
  • Export personal data

Controls & notifications

Organisations will need to:

  • Protect personal data using appropriate security
  • Notify authorities of personal data breaches
  • Obtain appropriate consents for processing data
  • Keep records detailing data processing

Transparent policies

Organisations are required to:

  • Provide clear notice of data collection
  • Outline processing purposes and use cases
  • Define data retention and deletion policies

IT and training

Organisations will need to:

  • Train personnel and employees
  • Audit and update data policies
  • Employ a Data Protection Officer (if required)
  • Create and manage compliant vendor contracts


GDPR Compliance Solution

Our GDPR Compliance Solution provides you with the tools, the training, the documentation and a certificate that proves that you are compliant. So why wait? Contact us to find out how we can help your business - click here.

Take our GDPR compliance risk assessment

In less than 3 minutes you can find out how exposed your business could be to non-compliance of GDPR. We have taken the essential requirements as defined in GDPR legislation so that you can quickly see if your business is at risk or not.

Step 1 of 13

0%

1. Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

3. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

4. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation

5. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

6. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

8. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

9. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

10. Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation.

11. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

12. International

If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.


GDPR Compliance Solution

Our GDPR Compliance Solution provides you with the tools, the training, the documentation and a certificate that proves that you are compliant. So why wait? Contact us to find out how we can help your business - click here.

What is personal data?

The definition of personal data under GDPR has been expanded. Personal data now counts as any of the following:

  • Name
  • Home address
  • Photo
  • Email address
  • Bank details
  • Posts on social networking websites
  • Medical information
  • A computer’s IP address

If you collect, store or process any personal information about your customers, GDPR applies to you.

Consent

Consent is a big issue. You already need consent to process someone’s data, but until now you only had to ask once. Not anymore. With GDPR you require permission to use customer data for different things, such as marketing, maintenance, fraud checks and support. And you need to record when that consent was given. Pre-ticking boxes and asking people to untick them will no longer be accepted.

Right to erasure

Another key change under GDPR is the ‘right to be forgotten’. It lets individuals withdraw consent, meaning that a company would have to delete any information it held about them.

Subject Access Requests (SAR)

Individuals already have a right to access their personal data through a SAR. However, with GDPR, organisations will have to deal with requests more quickly (within 30 days), as well as providing additional information and making the data available in electronic format. There can be no charge for this information.

Data security

GDPR has specific provisions to promote security and privacy as a design principle. Organisations must show that they have made their data processing compliant. GDPR specifically mentions encryption and pseudonymisation – the process of separating personally-identifiable information from other data attributes to avoid security risks – as a means of achieving these goals.

Data breach notification

Data breach notification becomes mandatory under GDPR. Small businesses shouldn’t assume this doesn’t apply to them because they think that they’re unlikely to be hit. Regulators will want to see a procedure for notifying the ICO of any compromise.

Consider a data protection officer

Many organisations will need to appoint a data protection officer to oversee ongoing privacy arrangements. A small business with limited resources might consider getting external help.

What About Brexit?

Brexit will have little impact on GDPR’s implementation. The UK Government have already confirmed a similar set of guidelines will be enforced so UK organisations can continue to trade within the EU.

GDPR enforcement and penalties

Organisations that do not comply with GDPR will face heavy fines of up to £20m or 4% of turnover, whichever is greater. There have been a number of high profile cases recently; after 25th May the fines can be much greater.
TalkTalk fined £100,000 for putting customers at risk from scammers
The CPS fined £200,000 for failing to keep recorded police interviews
Carphone Warehouse fined £400,000 after serious failures placed customer and employee data at risk

Getting ready for GDPR

GDPR can seem like a a big burden for small businesses – so where should you begin? The Information Commissioner’s Office (ICO) has created a helpful guide that lists the various steps your organisation should go through to be ready for May 2018.


GDPR Compliance Solution

Our GDPR Compliance Solution provides you with the tools, the training, the documentation and a certificate that proves that you are compliant. So why wait? Contact us to find out how we can help your business - click here.

Find out more about our GDPR solutions

If you would like to know more call 01708 756 555 or click here and we'll contact you