0118 936 2880 infouk@dataincuk.com

Europe is going to witness a major overhaul in Data Protection law with effect from the May 2018, which is likely to affect every business in the UK.

The General Data Protection Regulation requires businesses to properly protect and maintain the privacy of customer data. Businesses are required to comply with the new regulations, or run the risk of heavy fines. Here are some steps issued by the Information Commission’s Office (ICO) to ensure companies are ready for the GDPR compliance deadline.

The steps are as follows:

Step 1: Educating about GDPR

The law states, senior officials and decision-makers must know about the rights and obligations of the law. Why is awareness important? If the decision makers are aware of the law and the company is creating an awareness of GDPR rules, there may be leniency from the ICO on potential penalties.

Step 2: Information Auditing

Companies will need to keep a track of all data movement to and from the company. The GDPR rules require a company to maintain records of their data processing activities. Why is it important? The business will be required to show how they comply with the GDPR’s accountability principle. So, redundant policies and procedures will help them to state accountability.

Step 3: Privacy Statement Broadcast

All businesses collecting user information, need to communicate this to the user through a privacy policy statement. If you have not planned to make the required changes for communicating these privacy notices, this is the time to review it. Why is it important? According to ICO, companies will need to showcase their process for collecting user data, why the law allows them to collect user information, the timeline of retention of data and how they are going to use their data. Here is the guideline for ICO’s Privacy Notices Code of Practice.

Step 4: User’s Rights

Updating, Addition and even Deletion of user data – everything is covered under GDPR. The GDPR includes the following rights for individuals:

  1. the right to be informed;
  2. right of access;
  3. the right to rectification;
  4. right to erasure;
  5. the right to restrict processing;
  6. right to data portability;
  7. the right to object; and
  8. right not to be subject to automated decision-making including profiling.

These rights were implicated in DPA also, while Data Portability law is completely new. It only applies,

  • to personal data an individual has provided to a controller
  • where the processing is based on the individual’s consent or for the performance of a contract;
  • when processing is carried out by automated means.

Step 5: The Lawful basis of processing data

Businesses need to disclose their suitability by law for collecting user information. This information should be documented and updated on the privacy policy statement of the website. With GDPR, people will have a stronger right to have their data deleted where businesses use consent as their lawful basis for processing.

Step 6: Consent

Companies which collect data may be required to review how they seek, record and manage the content given by the user on the collection of data. The user should not be bounded to give consent by pre-ticked boxes or inactivity.

Consent must be freely given, specific, informed and unambiguous. Consent cannot be bundled in with other terms and conditions. Additionally, it should be equally easy to withdraw the consent.

Step 7: Children

GDPR is introducing special protection for children’s personal data, particularly on social networking sites. Any company offering online services to children must get consent from their parent or guardian. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).

The consent statement for children should appear in a language they can easily understand.

Step 8: Data Breaches

Every business collecting data should have a robust procedure to ensure there is no loss of data. In case of the data breach, the business should have the provision to detect, report and investigate the loss of personal data.

If the lost data can lead to a risk to the rights and freedom of an individual, the businesses should immediately inform this to Information Commission’s Office (ICO). Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Step 9: Data Protection Officers

Companies will need to designate someone to take responsibility for data protection compliance. A Data Protection Officer (DPO) is required if the company falls under the following:

  • A public authority (except for courts acting in their judicial capacity);
  • An organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
  • An organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.

The DPO (Internal or External) must have the knowledge, support and authority to carry out their role effectively.

Step 10: International Business

If an organization operates in multiple EU member states, they should recognize their lead data protection supervisory authority. This information is also required to be documented. Generally, the lead authority is the supervisory authority in the state of organizations’ headquarters.

If it is relevant to an organization, they must find out where the organisation makes its most significant decisions about its data processing activities.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this. For more information and our Privacy Policy, please click here