So what is the General Data Protection Regulation?
“GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. “
“The General Data Protection Regulation (GDPR) very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”
So what must you (as a company) do to be prepared?
1. Become aware:
It is imperative that key personnel in your organisation are aware that the law is changing to the GDPR, and start to factor this into their future planning. They should start to identify areas that could cause compliance problems under the GDPR.
2. Become accountable:
Make an inventory of all personal data you hold. Why do you hold it? Do you still need it? Is it safe? This is the first step toward compliance which requires organisations to demonstrate the ways in which they comply with data protection principles when transacting business. The inventory will also enable organisations to amend incorrect data or track third party disclosures in the future, which is something that they may be required to do.
3. Communicating with Staff and Service users:
Review all your data privacy notices and make sure you keep service users fully informed about how you use their data. Identify any gaps that exist between the level of data collection and processing your organisation engages in, and how aware you have made your customers and staff and services users of this fact. If gaps exist, revert to stage 2 as your guide.
4. Personal Privacy Rights:
You shoud review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Rights for individuals under the GDPR include:
> subject access
> to have inaccuracies corrected
> to have information erased
> to object to direct marketing
You should review and update your procedures and plan how you will handle requests within the new timescalers (There should be no undue delay in processing an Access Request and, at the latest, they must be concluded withing one month)
6. What we mean when we talk about a legal basis:
will have a stronger right to have their data deleted where customer consent is the only justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.
7. Using Customer Consent as grounds to process data:
If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous.’ Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.
8. Processing Children’s Data:
If the work of your organisation involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
9. Reporting Data Breaches:
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Some organisations are already required to notify the DPC when they incur a personal data breach. However, the GDPR will bring in mandatory breach notifications, which will be new to many organisations. All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. Now is the time to assess the types of data you hold and document which ones which fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches, both at central or local level
10. Data Protection Impact Assessments(DPIA) and Data Protection by Design and Default:
A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in determining the viability of future projects and initiatives. The GDPR introduces mandatory DPIAs for those oganisations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area.
11. Data Protection Officers:
The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively
12. International Organisations and the GDPR:
The GDPR includes a ‘one-stop-shop’ provision which will assist those organisations which operate in many EU member states. Multinational organisations will be entitled to deal with one Data Protection Authority, referred to as a Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established. That Data Protection Authority will then become the LSA when regulating all data protection matters involving that organisation, although it will be obliged to consult with other concerned Data Protection Authorities which are concerned in relation to certain matters.
Are you unsure where to start?
Heard noise about above but not sure if it affects you?
Need to put a plan in place sooner rather than later? (it does come into effect on the 25th of May)
If yes to any of the above, contact us now to help your organisation.
CommSec will take you along the General Data Protection Regulation Journey to make your organisation compliant.
*Sources GDPR and you