Get Up To Speed With the Facts About GDPR
With data breaches and their consequences in the news on a seemingly weekly basis these days the whole subject of data protection has been given a much higher priority by UK businesses.
More Things Count As Personal Data
GDPR will cover a much wider area in terms of what counts as personal data.
Obtaining Valid Consent For Information Use Could Be A Challenge
Under the new regulations your organisation MUST be able to PROVE clear and affirmative consent to process personal data. This means that your organisation must remember to explain clearly, and exactly what personal data they are collecting and how it will be processed and used. Your organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary.
Many Organisations Must Appoint a Data Protection Officer (DPO)
If you are a public authority processing personal information or if your main activity involves the regular and systematic monitoring of data subjects on a large scale, or if your main work involves the processing on a large scale of special categories of data you will need to appoint a DPO.
Privacy Impact Assessments (PIAs) Are Mandatory
Under the GDPR Data Controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimised. This means that to minimise risks to data, subjects PIAs will be needed.
There Will Be a Common Data Breach Notification Requirement of 72 hours
Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the ICO of a data breach within 72 hours of discovering it.
All Data Subjects Will Have ‘The Right To Be Forgotten”
Your organisation must not hold data about a person for longer than is necessary, must not change the use of the data from the purpose for which it was originally collected (when consent was given for that specific purpose), and must delete any data about a subject at the request of that data subject. This gives subjects the right to opt out completely i.e. ‘the right to be forgotten’.
Liability Goes Beyond Data Controllers
Under GDPR it won’t just be the DC who is held liable for data processing issues.
Privacy Must Be Designed and Built-In To The System
Your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way.
The Regulations Apply Wherever You Are In The World
Under GDPR, any European data protection authority is able to take action against organisations regardless of which country they are based in.
What Does This Mean For Your Business?
GDPR will mean that companies like yours will need to take a fresh look at how they deal with personal data.