GDPR - GOOD OR BAD FOR BUSINESS?

Time to #GDPR - Get (your) Data Programs Right ;#dataprotection #security #cybersecurity #data #DataPrivacy #Help #workplace #dataprivacy #business

General Data Protection Regulation (GDPR) – has been passed and will come into force on May 25, 2018. The changes it brings will have implications for businesses of all sizes that process the personal data of Europeans, whether in or out of the EU.

Most of the core concepts existing under the current EU data protection regime (Data Protection Directive or DPD introduced in 1995) will remain broadly similar, such as the concept of personal data, data controllers and data processors. However, many new concepts and approaches will come into force that may create compliance difficulties for businesses.

Let me explain 12 preparation steps here to preparing for the General Data Protection Regulation (GDPR)

1 Awareness

• Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR.
• Decision makers need to appreciate the effect this is likely to have and identify areas that could cause compliance problems under the GDPR.    
• If you don’t have an organisation’s risk register, it is time to start one, this will help you when implementing GDPR.
• The organisation must understand Implementing the GDPR could have significant resource implications, depending upon size and complexity of organisations. So prepare the earliest

2 Information you hold

•  Organise an information audit across the organisation or within particular business areas
• Document what personal data you hold, where it came from and who you share it with.
• Maintain records of your processing activities and make sure that policies and procedures in place
• If you have inaccurate personal data and have shared this with another organization, you will have to tell the other organization about the inaccuracy so it can correct its own records.

3 Communicating privacy information

• Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
• Privacy notice: the company must provide information in concise, easy to understand and clear language that explains your lawful basis for processing the data, your data retention periods
• Always remember that individuals have a right to complain

 4 Individuals’ rights

 Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Rights for individuals:

1. The right to be informed;
2. The right of access;
3. The right to rectification;
4. The right to erasure;
5. The right to restrict processing;
6. The right to data portability;
7. The right to object; and the right not to be subject to automated decision-making including profiling.

 Right to data portability

 It only applies to personal data an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.

Consider whether you need to revise your procedures and make any changes. You will need to provide the personal data in a structured commonly used and machine readable form and provide the information free of charge.

 5 Subject access requests

•  Update your procedures and plan how you will handle requests to take account of the new rules , You will have a month to comply, rather than the current 40 days.
• You can refuse or charge for requests that are strikingly baseless or unnecessary.

If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy.

• Must do this without undue delay and at the latest, within one month.
• If your organisation handles a large number of access requests, consider consider whether it is feasible or desirable to develop a systems that allow individuals to access their information easily online.

6 Lawful basis for processing personal data

•  Explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request.
• Document your lawful bases in order to help you comply with the GDPR’s ‘accountability’ requirements.

 7 Consent

•  Review how you seek, record and manage consent and whether you need to make any changes make sure that existing consents meets new GDPR standard.
• Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in 
• consent cannot be inferred from silence, pre-ticked boxes or inactivity.
• must be separate from other terms and conditions,
• People must able to withdraw consent in simple steps
• Remember that Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data.

8 Children

• If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.
• The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
• Privacy notice must be written in language that children will understand. ??

 9 Data breaches

•  Make sure you have the right procedures in place to detect,report and investigate a personal data breach.
• Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

10 Data Protection Impact Assessments(DPIA)

•  DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:

where a new technology is being deployed; where a profiling operation is likely to significantly affect individuals; or where there is processing on a large scale of the special categories of data.

 If a DPIA indicates that the data processing is high risk ,then assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?

 11 Data Protection Officers

• Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
• Consider whether you are required to formally designate a Data Protection Officer (DPO).
• The organisation must designate a DPO if you are: · a public authority (except for courts acting in their judicial ,capacity); · an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or · an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

 12 International

• If the organisation operates (share data) in more than one EU member state, you should determine your lead data protection supervisory authority and document this.
• The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented.

Reference ICO .To learn more visit click below