EU General Data Protection Regulation (GDPR), is going to essentially replace the existing legal framework, and this has been considered one of the most “significant overhauls” within data legislation in recent years. These changes will mean that companies will potentially need to make some pivotal adjustments to their digital compliance practices. The new adjustments in the law are not set to take effect for over a year, and though this deadline may seem like a future issue, it’s best to start making some plans for these adjustments now before things become all to current.
Some businesses have actually already begun making the efforts toward these changes. “Councils are underprepared for strict new data protection measures according to the UK’s privacy watchdog responsible for enforcing these new incoming rules” and many “do not have a data protection officer, despite GDPR making the role a legal requirement for public bodies.”
What can I do to ensure that my company in data compliance?
There are a number of key changes that will likely leave companies liable when potential breaches occur, and these are as follows;
Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out privacy impact assessments; (iii) implement privacy by design and default (in all activities), all requiring a fair amount of upfront work.
Data protection officers (DPOs) – the changes in law now mean that a data protection officer is compulsory of some kind in practising organisations.
Consent – data gathering laws have changed. Come May 2018, consent must be “explicit” within certain categories. As a result, some previous consents may no longer be valid.
Enhanced rights for individuals – new rights are introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, amongst others.
Privacy policies – notices for processing will need to be more detailed for example new information needs to be given about these new enhanced rights for individuals. It’s possibly worth updating or revisiting policies.
International transfers – binding corporate rules for controllers and processors as a means of legitimising transfers are expressly recognised for the first time and so should be considered as a transfer mechanism.
Breach notification – the GDPR now requires companies to report breaches within 72 hours (subject to conditions). This means that even the processes that are in place may need to be revised, and new procedures need to be implemented for those without any currently in place.
What should companies be doing and why?
These changes come into full effect in May of next year, this means if you’re a company that trades and holds sensitive data about consumers within the UK or Europe, then you will have to abide by the new legislative changes or face severe legal consequences.
The watchdog says embracing GDPR can provide a competitive edge, aside from avoiding hefty fines for failure to meet the new regulations, or the loss of customer trust when failing to comply. In fact, organisations who can demonstrate that they respect people’s personal data are more likely to attract more customers from a PR standpoint – it’s certainly a good publicity piece for those in the software and information sectors.
As an organisation, you should ensure that you have strong infrastructure procedures in place by revising the steps you’ve already taken. There are a number of steps that you can take to make some small, but effective changes to your IT security infrastructure;
Ensure that privacy notices and policies are GDPR compliant. Do they provide for the new rights individuals have?
Prepare/update the data security breach plan.
Are you lawfully processing your data? Make an audit of your consents to ensure that they are still valid.
Set up an accountability framework, for example, monitor processes, procedures and most importantly, train your staff.
Appoint a DPO where required.
Consider if you have new obligations as a processor – is your contractual documentation adequate? Review your contracts and consider what changes will be required.
Audit your international transfers – do you have a lawful basis to transfer data?
You can make efforts to ensure that staff are well informed about the changes that are going to occur, what can be implemented to remain in line with these changes and keep data safe. If you would like to develop a bespoke eLearning program to educate your staff about these changes, feel free to get in touch with us at Fresh01 or take a browse at some of our past training projects within the cyber securities sector. It’s important to effectively train staff so that potential breaches are avoided.