Are you prepared for the General Data Protection Regulations (GDPR)?
The new General Data Protection Regulations will apply from 25 May 2018.
It is very important that all organisations ensure that they are compliant with the GDPR as the risk of non-compliance may lead to penalties for infringement of up to 4% of global annual turnover or €20 million.
The GDPR enhances the current data protection principles providing additional protection and regulation so should not be ignored.
Practical consideration to ensure compliance
- Conduct an information audit
This will help establish the personal data you hold, where the personal data came from and who you share it with. This applies to both persons you deal with externally from your organisation as well as your own employees.
- Review your privacy notices
These are crucial to inform third parties of what data you are collecting and how you will use it. These notices will need to be reviewed in light of the GDPR.
- Employee’s consent
Every employer now has (to differing extents) obligations under GDPR and faces greater risks for non-compliance. The obligations for employers under GDPR mean that blanket consents (usually contained within employment contracts) will become more of an issue and generally not compliant with GDPR. Instead, employers will need to review its data process and requirements for employee consent. Where consent is required, it will need to be specific and freely given by each employee. Employers will also need to allow employees to withdraw consent at any time and where employers’ purposes or activities change, consent needs to be re-obtained. With these extensive changes coming into force, employers will require legal advice and systems to comply with GDPR.
- Check your procedures
You need to ensure that you are compliant with individuals’ rights such as consent, right to access and erasure. You may need to obtain consent again if your current procedures are not compliant.
- Establish a lawful basis by which you process personal data
The key definitions within the GDPR of “Data Controllers” and “Data Processors” are important due to the additional responsibilities on both. Once you have identified the lawful basis of controlling or processing data you should then document it and update your privacy notice.
The GDPR also contains new provisions for the protection of children’s personal data and guidance on whether your need to designate a Data Protection Officer (‘DPO’) within your organisation.
If your organisation deals with data across Europe or elsewhere then you will also need to look at the lead data protection supervisory authority to establish your responsibilities.
How will the GDPR specifically impact your business?
If you want to know how the GDPR might specifically impact upon your business then click the link below to take our free, short and simple questionnaire.
Once completed you will receive an immediate score indicating how at risk your business might be. If you provide us with your contact details one of our lawyers will then contact you direct and provide some pointers as to practical steps you should be taking to minimise the risk of non-compliance.