- On 18th April 2018
Just in case you didn’t know, the General Data Protection Regulation (GDPR) comes into force on 25th May. The new regulation will supersede the current Data Protection Act and builds on the existing legislation.
The way in which organisations use data has changed massively over recent years, and breaches of data security are becoming more and more frequent, potentially affecting the way we live our lives. So it may come as a relief to know that the GDPR sets out to modernise the way data is handled and bring this into the 21st Century. But if you are thinking that GDPR is only for larger organisations and businesses you’re wrong! The GDPR affects everyone …
Our interactive training courses are designed to raise awareness of the key aspects of GDPR, Data Protection and employee responsibilities in preparation for 25th May and beyond, but here are 10 key facts about the GDPR which you may need to consider before beginning to implement any changes.
- The new regulation was introduced in 2016, however organisations now only have until 25th May 2018 to be compliant
- GDPR will look to change the way organisations collect, store, process and protect personal information for their clients, employees and customers
- Leaving the EU will have no impact on whether or not the GDPR regulations come into force, special considerations need to be made for companies trading internationally
- The GDPR applies to all companies across the globe who process personal data of EU citizens
- DPA consent isn’t enough. As stated in article 4 of the GDPR “…any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. This means customers will need to opt into an agreement voluntarily with an organisation, which has been clearly explained and states how data will be handled, there must not be an automatic enrolment where customers have to opt out
- Accountability is key, organisations will need to understand any risks they create for data subjects and mitigate those risks. There will need to be a better approach to governance and compliance with robust processes in place
- Organisations will need to have a dedicated Data Protection Officer if they fall into the following categories: a public authority, carry out large scale tracking or carry out large scale processing of special categories of data or data relating to criminal convictions and offences
- Mandatory privacy impact assessments (PIAs) will be introduced, meaning data controllers will need to conduct PIAs where the risk of privacy breaches is high to minimise any risks to data subjects
- Data breaches will need to be notified to the local data protection authority within 72 hours of it being discovered, organisations will therefore need to ensure their technology and employees are able to detect these breaches effectively
- The way in which data can be held by organisations is changing. GDPR means companies can only keep data for as long as it remains absolutely necessary and can only use the data for the original purpose it was collected. If companies wish to use it for a different purpose they will need to obtain permission from the data subject. Data subjects also have the right to be forgotten, which means they can ask to have all of their data deleted, which must be adhered to.