GDPR came into effect on May 25, 2018. However, some organizations still struggle to both understand and comply with GDPR and its complexities.
The primary objective of the GDPR is to give citizens back control of their personal data. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.
There are strict requirements on the way businesses collect, store and manage personal data. GDPR provides citizens of the EU with greater control over their personal data and assures that their information is being securely protected across Europe, regardless of whether the data processing takes place in the EU or not. Personal data can be a name, email, address, date of birth, personal interests, unique identifiers, digital footprints and more.
In the UK, the Information Commissioners Office (ICO) are the governing body that oversees GDPR.
The ICO regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate.
GDPR replaced the 1995 Data Protection Directive and aims to strengthen and unify data protection for all individuals within the European Union.
It is the biggest overhaul of personal data privacy rules since the launch of the internet.
Businesses need look closely at their data and how they handle it. There are many things a company must do in order to be compliant with GDPR.
- Know your data. You need to demonstrate an understanding of the types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.
- Identify whether you’re relying on consent to process personal data. If you are (for example, as part of your marketing), these activities are more difficult under the GDPR because the consent needs to be clear, specific and explicit. For this reason, you should avoid relying on consent unless necessary.
- Look hard at your security measures and policies. You need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.
- Access requests have one month to be dealt with. Under GDPR, citizens have the right to access all their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.
- Employees need to undergo training and serious breaches need to be reported within 72 hours. Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags. It’s also important that everybody involved in your business is aware of a need to report any mistakes to the Data Protection Officer (DPO) or the person or team responsible for data protection compliance, as this is the most common cause of a data breach.
- Conduct due diligence on your supply chain. You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach.
- Create fair processing notices. Under GDPR, you’re required to describe to individuals what you’re doing with their personal data.
- Decide whether you need to employ a Data Protection Officer (DPO). Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category, you must employ a Data Protection Officer (DPO).
GDPR Management Software
The requirements of GDPR are complex and that is why our cloud-based GDPR software platform provides and all-in-one solution to maintaining GDPR compliance.
The only way to limit the risk of heavy fines and damaging a company’s reputation is by making sure you are aware of GDPR and the implications of not complying.
Our software helps businesses to achieve, manage and maintain their GDPR compliance. It seems prudent for organisations to protect themselves and limit any chances of being fined for simply not taking GDPR seriously enough.