The General Data Protection Regulation (GDPR) will apply from 25 May 2018. Here’s everything you need to know to ensure you’re prepared for it.
What is the GDPR?
In the UK, users’ data has been protected under the Data Protection Act 1998 for 20 years. However, we now live in a world where people often grant companies permission to use their personal information in exchange for free services. GDPR has been brought in to give people more control over how companies use their data.
Why is the GDPR being introduced?
The most significant factor at play is the changes in how people’s data is being used. Ongoing articles have shed light on the fact businesses such as Facebook, Amazon, Google & Twitter offer free services in exchange for user data.
As well as giving people more control, the GDPR also seeks to provide organisations clarity on how they can and can’t behave. Substantial fees are also being introduced for companies that do not comply with the new rules, and for those that suffer data breaches.
Processing data under the GDPR
As of 25 May 2018, all businesses who are required to abide by the GDPR (those that control and process data) must ensure personal data is processed lawfully, transparently and for a specific purpose. Once processing of this data has concluded, and if it’s no longer needed, the data must be deleted.
Below we have set out seven steps you need to take to ensure you’re abiding by the GDPR.
Make sure that key decision makers within the business are aware that the law is changing, and they should educate themselves on how this affects them. It’s vital they are aware of the impact this is likely to have on their day-to-day.
#2 Be transparent
The new regulation requires all organisations to be open about their data. In the case of an information audit, you may want to document what personal data you hold, who you share it with and where it came from.
#3 Act now
Rather than wait until the regulation is in place, it’s worthwhile to ensure you’re covering all rights individuals will have, including but not limited to the deletion of personal data.
#4 Privacy notice update
#5 User Journeys
You need to look at all user journeys to check where you’re asking for consent. If these don’t meet the GDPR standard, they’ll need to be either changed or removed.
#6 Data Breaches
To avoid those hefty fines, you need to make sure you have the correct procedures in place to highlight, report and investigate a personal data breach.
#7 Data Protection Officers
If you don’t already, it may well be worth assigning an individual whose role it will be to take responsibility for data protection compliance.
To read more about the GDPR and the changes that come in to play next month, head to eugdpr.org.