Europe is going to witness a major overhaul in Data Protection law with effect from the May 2018, which is likely to affect every business in the UK.
The General Data Protection Regulation requires businesses to properly protect and maintain the privacy of customer data. Businesses are required to comply with the new regulations, or run the risk of heavy fines. Here are some steps issued by the Information Commission’s Office (ICO) to ensure companies are ready for the GDPR compliance deadline.
The steps are as follows:
Step 1: Educating about GDPR
The law states, senior officials and decision-makers must know about the rights and obligations of the law. Why is awareness important? If the decision makers are aware of the law and the company is creating an awareness of GDPR rules, there may be leniency from the ICO on potential penalties.
Step 2: Information Auditing
Companies will need to keep a track of all data movement to and from the company. The GDPR rules require a company to maintain records of their data processing activities. Why is it important? The business will be required to show how they comply with the GDPR’s accountability principle. So, redundant policies and procedures will help them to state accountability.
Step 3: Privacy Statement Broadcast
Step 4: User’s Rights
Updating, Addition and even Deletion of user data – everything is covered under GDPR. The GDPR includes the following rights for individuals:
- the right to be informed;
- right of access;
- the right to rectification;
- right to erasure;
- the right to restrict processing;
- right to data portability;
- the right to object; and
- right not to be subject to automated decision-making including profiling.
These rights were implicated in DPA also, while Data Portability law is completely new. It only applies,
- to personal data an individual has provided to a controller
- where the processing is based on the individual’s consent or for the performance of a contract;
- when processing is carried out by automated means.
Step 5: The Lawful basis of processing data
Step 6: Consent
Companies which collect data may be required to review how they seek, record and manage the content given by the user on the collection of data. The user should not be bounded to give consent by pre-ticked boxes or inactivity.
Consent must be freely given, specific, informed and unambiguous. Consent cannot be bundled in with other terms and conditions. Additionally, it should be equally easy to withdraw the consent.
Step 7: Children
GDPR is introducing special protection for children’s personal data, particularly on social networking sites. Any company offering online services to children must get consent from their parent or guardian. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
The consent statement for children should appear in a language they can easily understand.
Step 8: Data Breaches
Every business collecting data should have a robust procedure to ensure there is no loss of data. In case of the data breach, the business should have the provision to detect, report and investigate the loss of personal data.
If the lost data can lead to a risk to the rights and freedom of an individual, the businesses should immediately inform this to Information Commission’s Office (ICO). Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Step 9: Data Protection Officers
Companies will need to designate someone to take responsibility for data protection compliance. A Data Protection Officer (DPO) is required if the company falls under the following:
- A public authority (except for courts acting in their judicial capacity);
- An organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
- An organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
The DPO (Internal or External) must have the knowledge, support and authority to carry out their role effectively.
Step 10: International Business
If an organization operates in multiple EU member states, they should recognize their lead data protection supervisory authority. This information is also required to be documented. Generally, the lead authority is the supervisory authority in the state of organizations’ headquarters.
If it is relevant to an organization, they must find out where the organisation makes its most significant decisions about its data processing activities.