In May 2018 a new law will be imposed called the General Data Protection Regulation (GDPR). It brings about the biggest change to data protection laws in over 20 years. Family owned businesses, which form an enormous proportion of the UK’s economy, will have to take notice of this, and be prepared.
There has been a lot of coverage – not least due to the headline-grabbing threat of up to €20m fines, but many remain unsure of what they should actually be doing to get ready.
There are some key basic steps to go through to assist you to understand what will be required in practical terms.
- Audit your data - you will need to know what data you hold, where it comes from, what you do with it, where you keep it, who you share it with and what happens to it when it is no longer needed.
- Fair processing notices - whether you refer to them as FPNs, privacy policies, data protection statements or something else entirely, the information that you give to individuals when you collect their data will need to be updated to meet the new information standards in the GDPR.
- Consent mechanisms - under the GDPR you must meet a higher standard of consent and record how and when consent was obtained, all of which will require some updating to your current systems.
- Streamline your SAR process - the GDPR reduces the time for providing a response to a Subject Access Request from 40 days to one month (and abolishes the £10 fee). Individuals have new rights under the GDPR, specifically the right to be forgotten and the right to data portability. You will need to ensure you understand what these rights involve and how you will comply with them.
- Record your processing - from May 2018 you will no longer have to register with the Information Commissioner’s Office (ICO) but you must keep a written record of your processing activities, security measures and data retention practices instead.
- Appoint a Data Protection Officer - for many organisations this will be a mandatory requirement under the GDPR.
- Update your breach procedures - from May 2018 mandatory breach reporting will begin – most breaches must be notified to the ICO within 72 hours and you must keep a full internal breach register.
- Train your staff - staff awareness is absolutely crucial to compliance. Different staff members will require different training depending upon their role and responsibilities but all staff will require some basic awareness training around the GDPR at the very least.