As of 25 May 2018, the General Data Protection Regulation (GDPR) will reform data protection and privacy laws across Europe and beyond.
The new rules:
- Create new responsibilities for organisations that collect, use or store information about people.
- Give people new rights about how their data is collected, used and stored including the right to have data corrected or deleted.
Six things you need to know...
- European regulators will have the power to serve fines of up to 4% of a business' annual worldwide turnover of the preceding financial year
- Where data is lost or stolen, the breaches will have to be reported to the regulator within 72 hours of discovery
- Individuals will have the "right to be forgotten" so that, in some cases, they can demand that their data is deleted
- Where individuals demand to know what information is held on them, the data controllers will have less time to respond, and will not be allowed to charge
- Rights under the GDPR apply to EU citizens, regardless of where the company processing their data is based
- Jersey will implement its own local legislation commensurate with the GDPR
Six things you need to do...
- Review your records management systems and processes, both electronic and paper-based, to ensure they are consciously designed to support the efficient discovery of information
- Test your organisation's ability to quickly isolate data relating to a specific individual in the necessary time period provided under the GDPR
- Identify a point of contact within the organisation that will deal with Subject Access Requests (SAR) and ensure that their contact details are easily available
- Identify the legal bases you rely on to process data. If you rely on the data subject's consent, consider whether it complies with the GDPR and what changes you may need to make
- Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests
- Review and update your existing contracts and websites to make them GDPR compliant