What You Need to Know About the GDPR Jan 17, 2018Views: 291
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force. It is designed to give tighter security to personal information. Data controllers and data processers are responsible for ensuring personal data is held securely. For organisations that breach the GDPR the fines are potentially huge – potentially running into millions of pounds – a fine of up to £10 million or 2% of turnover. The data controller carries the heaviest burden whilst data processors need to ensure that data is held confidentially and compliantly and security problems are addressed. The government has announced an intention to actively police this law.
There are six processing principles – lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality.
So what an organisation do to prepare for this onerous responsibility?
The first step would be to undertake a data protection audit. Depending on the size of the organisation it might be a good idea to create a project team from across different departments. For smaller organisations a team of at least two is ideal. The audit will then need to identify the data that is collected along with the purpose, identify the legal basis you are seeking to rely on, review data collection, storage, retrieval and record keeping, review service providers and data processors (including third party outsourced partners) and analyse risk from any compliance gaps. The organisation should then update or implement relevant policies such as data protection, recruitment, IT, disciplinary, whistleblowing, data subject access requests and privacy notices.
As many private sector organisations may not currently have a privacy notice in place it is essential to develop one that give information to employees and customers on what and how their data will be processed. The privacy notice needs to also detail their rights and obligations clearly identify the Data Controller (usually the CEO) and what to do in the event of discovering a data protection breach. A detailed privacy notice could be issued along with an employment contract or become part of a staff handbook for employees.
Given the seriousness of this forthcoming law and the implications for non-compliance, it might be a good idea to implement training in the GDPR across the workforce.
You need to be logged in to comment