The EU General Data Protection Regulation [GDPR] comes into force on 25th May 2018. This Regulation will replace the UK Data Protection Act and businesses should prepare for implementation.
The GDPR follows a Europe-wide review of data protection law following huge changes in technology since the current rules were conceived 20 years ago. It builds on the existing concepts and protections under the Data Protection Act and gives more control to the individual to protect his/her data.
The main changes are around Accountability, Transparency, Data Subjects' rights and Breach notification. There are also increased penalties for non-compliance.
Practically all businesses handle data and so all businesses will be affected by the GDPR. Here are some questions you need to consider: Businesses need to have clear lines of responsibility and inventories of all activities involving the processing of personal data?
They should appoint a Data Protection Officer (this is compulsory for those who deal with large volumes of “special categories” or sensitive data).
Audit where and how personal data is collected and stored so that policies, procedures and notices can be drafted accordingly.
Consider how they will keep records and evidence of compliance.
If a business relies on consent when it collects and process data It should consider whether there is any other legal ground for processing data - as consent can easily be withdrawn.
You can lawfully collect data that is necessary for performing a contract or which is part of any legal obligation without relying on consent. This would apply to employment contracts.
Where consent is required, this must be freely given and you must be able to show that all necessary information was given.
Privacy Notices - what does a business tell people when it collects their data?
- The business must be transparent and tell people about their legal rights.
- As well as giving the usual information about the identity of the data controller and the reasons for collecting the data, you'll also have to tell people about their legal rights and give additional information about how data is transferred and how long it is retained.
- The business will no longer be able to charge a fee for giving people access to their data and it must provide the information within one month of the request.
If a business has a data breach it must:-Inform the authorities and the parties whose data has been compromised. It must also ensure staff are trained about identifying, handling and reporting data breaches
Read related items on: