It may feel like a long time until the deadline of 25 May 2018 hits, but you shouldn’t be tempted to leave it until the last minute to make sure your business is ready. In fact, we recommend you start acting now in order to have everything up and running in good time.
Why is the law changing?
It has been nearly 20 years since the UK’s data protection laws were last updated, in the form of the Data Protection Act 1998. That legislation was intended to bring UK law into line with the EU’s Data Protection Directive, which was introduced in 1995, and it’s fair to say that a lot has changed since then.
The aim of the new regulation is to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. The general view is that a single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses.
With this in mind, GDPR is intended to bring the data protection laws for EU member states into the 21st century. GDPR emphasises transparency, security and accountability by data controllers, while at the same time standardising and strengthening the right of European citizens to data privacy.
What should you do to prepare?
Put simply, GDPR aims to return control of personal data to users, and simplify the regulatory environment. You can expect to hear a lot about how your business may need to adapt ahead of May 2018, but for now the advice being given by a number of independent bodies, including the Information Commissioner’s Office (ICO), is:
- Make sure that all decision makers and key people in your organisation are aware of the changes and understand the impact they will have.
- Consider organising an information audit to help you get to grips with exactly what personal data you hold and where.
- Review current privacy notices and put a plan in place for any changes deemed necessary.
- Ensure your procedures cover all the rights individuals have, including how personal data is deleted or provided electronically.
- Update procedures concerning subject access requests and plan how they are to be handled within the new timescales.
- Look at the various types of data processing your business carries out and identify the legal basis for it.
- Review how your business seeks, obtains and records consent and whether this will need to change.
- Think about putting systems in place to verify individuals’ ages and gather parental/guardian consent if required.
- Get the right procedures in place to detect, report and investigate personal data breaches.
- Familiarise yourself with available guidance on Privacy Impact Assessments, including when and how to implement them.
- Designate a Data Protection Officer to take responsibility for data protection compliance.
- For businesses that operate internationally, it is important that you to determine which data protection supervisory authority you will come under.
Above all, don’t worry! With over a year left until changes come into effect there is plenty of time to prepare, and if you have any further questions about GDPR or would like more information on the above please feel free to get in touch.