Insight into GDPR legislation changes 2018

In April 2016 it was announced there will be an amendment to the current GDPR legislation taking affect from 25th May 2018. This legislation covers all countries within the EU.

As with any legislation, sanctions can be imposed from a warning to a fine of up to 4% annual worldwide turnover! Based on this it would be best to take action now, right?!

With over 16,400 searches via Google in the last 24 hours I have put together a very brief blog on the new GDPR legislation…..

Why are they changing the legislation?  

Ultimately, the legislation will strengthen and unify data protection for all individuals within the EU with the aim primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU.

What are the biggest challenges?

The biggest challenge is simply understanding what each business needs to do to ensure you are compliant – as each company is looked at differently as to how long you contact ‘citizens’ to confirm they consent to you keeping their data.

Implementation of the EU GDPR will require comprehensive changes to business practices for companies that have not implemented a comparable level of high privacy before the regulation was enforced.

The European Commission and DPA (Data Protection Authority) have to provide sufficient resources and power to enforce the implementation and a unique level of data protection has to be agreed upon by all European DPA’s since a different interpretation of the regulation might still lead to different levels of privacy.

What do you need to do?

-         Appoint a DPO (Data Protection Officer) - all public organisations and companies with over 250 employees are required to have a DPO.

-         Amend your policies and procedures

-         Ensure staff are trained in how to provide citizens with their data, when to delete data and how to be fully compliant (this will aid you should you be audited)

-         Put a data breach response plan in place – you need to report any data breach within 72hrs if it is likely to affect citizens

-         Ensure you have a ‘Right to be Forgotten’ plan in place (exceptions – legal obligation, public interest or public health)

-         Be aware of SAR (Subject Access Request) changes – the 1st one is now free and the response is now 1 month.

-         Inform citizens of why you will be keeping their data, for how long and what it will be used for – it is important to be transparent!

-         Ensure you only use data for the reason you originally retained it for.