.. I get asked this question most of the time….. But before I can answer this (and firstly Don’t Panic) , perhaps we should dispel some myths:
NEW LAW – not really! GDPR is an extension of the Data Protection Act 1998 and brings into law some aspects currently considered “best practice” – such as “Privacy by Design” (more on this later).
The GDPR becomes law in the UK (and the rest of the European Economic Area) on 25th May 2018. The Information Commissioner’s Office (ICO) hopes that the new Act will be ready at the same time! Together they will form data protection legislation in the UK and beyond Brexit.
CONSENT – a lot of people are saying you MUST have an individual’s consent to process data every time you want to do something with it – this is simply NOT the case! You DO need consent to send someone marketing material if you have not had previous contact with them; you DO need consent to process “special category data” such as physical/mental health or condition – but these conditions already exist in the current legislation.
Otherwise you do NOT need consent to process data.
I NEED TO SHUT DOWN AND START AGAIN – why? If the business processes you have in place work for your business then why not make GDPR/data protection “fit” into those processes!
So – “what do I need to consider to make my business compliant and avoid the even higher fines under GDPR”?
1 – a data audit – “Privacy by Design” requires you to look into your organisation; asses what personal data /special category data you hold, process, store and how you store it? Is it paper or electronic? If its structured both formats count. Then document this and you can prove Privacy by Design.
3 – “short” privacy notices – on forms (both manual and electronic); email footers and contact forms on websites are common areas for these to be added…only need to be a couple of sentences (but must convey the correct information).
4 – Data Retention Schedule: This needs to be done by the organisation. Look at the data you hold and where you hold it. Then decide what the need for it is in terms of how long you need to keep it. Some data will have a retention period designated in law which may apply to your business sector…
Then record this information. It will not only comply with GDPR, but make it easier to locate data and whether or not you still hold it in response to a Subject Access Request. (A “subject access request” is a request by the person for data you hold about them)
5 – Assess whether you/the organisation is a “data controller” for the data – processing you do and control over the data …..or a “data processor” – processing data on behalf of someone else and under their instructions – eg putting their data onto a platform you supply.
6 – If you do nothing else, you MUST register with the Information Commissioner’s Office (ICO) – www.ico.org.uk. You process data separately from any other organisation and if you process data electronically – as nearly all of us do (email, website, on desktop, laptop, tablet, smartphone), registration is mandatory. This needs to be in place before May when a new system comes in and the fines are large.
HardSoft are not a GDPR expert but we do profess to know more than most. We are responsible for the support of very very many Servers and systems on a poplar business lease. We are sharing our views on GDPR for both existing and new clients. If you need to know more we are open to help. The latest GDPR bulletin is available to download here.