The Data Protection Act 1998 is old news. Taking over is the General Data Protection Regulation. The Regulation will harmonise data privacy laws across Europe. It will protect EU citizens’ data privacy and empower citizens to have rights to the data you hold about them.
The GDPR came in force over two years but time has been given to companies to comply, so you have until 25 May 2018. This may sound far off but there is a fair amount of work to be done to make sure you will comply.
An interesting aspect of GDPR is that it doesn’t just apply to organisations within Europe. It applies worldwide to all companies processing and holding data about European subjects living in the European Union, regardless of whether the company itself is located on the EU or not. Such organisations may well be your overseas suppliers or business partners. If you are passing data to them about your European-based customers, you will need to check whether they comply with GDPR.
Brexit will offer no respite. The UK Government has said it intends to implement an equivalent or similar legal mechanism to the GDPR.
Should you wish to flout the law, the penalty for a breach will be up to 4% of annual turnover or €20 million. It is expected, though, unless you are knowingly in serious breach of the Regulation, such a high fine would not be levied.
I know a few companies that have already started reviewing the data they hold to ensure that, by May 2018, they will comply with the GDPR. If you have not yet started a project, my advice is to get going sooner rather than later. As with all resource intensive projects, it is always much better to have more time available rather than less.
If you have not yet started a project, here are some steps you might take:
- Learn about the GDPR. The Information Commissioner’s Office website has some good bedtime reading.
- GDPR is not just an IT project. You will need get everyone on board. Keep staff and management regularly updated as the project progresses.
- Across all departments of your organisation, you will need to discover all the personal data that you hold. You will need to know what it is, where it is and how it is used. This will all need to be recorded and records will need to be kept up to date.
- You will need to know about the whole data chain. It will be your responsibility to make sure your suppliers know about GDPR and will be taking similar action to you. Get in touch with them and find out what they are doing about complying with GDPR.
- You may need to update privacy policies, ensuring they are clear, concise and that consent functions are thoroughly tested.
- You will want to develop and test procedures for handling the following:
- Subject access requests (the right of people to see the data you hold about them)
- Subject access rectifications (correcting inaccurate data)
- Subject access portability (providing data in a format that can be passed on)
- Actioning all right to be forgotten requests (removing people’s data and proving that this has been done). Bear in mind this will also need to be done for third parties to whom you are passing personal data.
Yes, GDPR compliance is going to take time but don’t ignore it. It’s got to be done, so best to get going.