The EU General Data Protection Regulation (GDPR) is a ground breaking piece of data protection legislation that will come into force on 25 May 2018. The GDPR will impact significantly on every business as it introduces severe financial penalties for non-compliance. Now is the time to get your house in order and to take steps to prepare your business as your data protection obligations are about to get more onerous. We have set out below some recommendations that will assist your business prepare for introduction of the GDPR:
1. Spread awareness of GDPR within your organisation
The GDPR provides for fines of up to €20 million or 4% of annual global turnover and permits individuals to sue for both material and non-material damage. Key employees and decision makers across your business must, therefore, be aware of and trained on the GDPR so that they can consider how to ensure compliance and appropriately allocate resources.
2. Conduct a data protection audit
Employers should review all personal data they hold and ensure that any data held has been fairly obtained with the subject's consent, is stored securely and is held for no longer than is necessary.
3. Review your data protection notices
The GDPR re-emphasises the importance of data protection notices and sets out the information that a business must provide when first collecting personal data. When preparing notices, businesses must set out information in a clear, concise and easily accessible manner.
4. Review your data protection policies
The GDPR provides that a data access request must be responded to within one month of receipt of the request. This is a reduction on the 40 day period provided for by current data protection legislation. In addition, documents must now be provided free of charge unless the request is “manifestly unfounded or excessive”, in which case a reasonable fee may be charged.
5. Review your data security procedures
The GDPR requires organisations to notify the Data Protection Comissioner of a data security breach within 72 hours of becoming aware of the breach. If there is a high risk to the rights of the data subjects they must also be promptly informed of the breach.
6. Consider whether you will need to appoint a Data Protection Officer (DPO)
It will be up to each business to decide whether they need to appoint a Data Protection Officer or whether this role can be delegated to an employee within the business. The GDPR does set out that a DPO must be appointed if an organisation:
- Carries out regular and systematic monitoring of data subjects on a large scale
- Carries large scale processing of special categories of data
- Is a public authority
From the above, it is clear that there are significant changes under the GDPR that require consideration and advance preparation by businesses. The SFA have been involved, through the GDPR Taskforce, in delivering a series of short guides to help raise awareness and understanding of the GDPR.
These guides can be accessed here. For any further information, please contact Helen Quinn on 016051668 or firstname.lastname@example.org.