General Data Protection Regulation
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. From 25th May 2018, the new EU GDPR directive comes into force and companies found to have fallen foul of data breaches will face huge fines - Secure IT Services can help you put strategies in place to ensure your business doesn't become one of them!
There are a number of key steps you need to take to ensure you are ready for GDPR -
- * Awareness - Ensure decision makers and key staff within your organisation are aware of the changes in law relating to GDPR.
- * Information - Document what personal data is held, where it came from and the authorised personnel with which it can be shared. Consider scheduling an Information Audit.
- * Communication of private information - Undertake a review of your organisations current privacy notices. Consider changes that may need to be made and implemented in time for GDPR.
- * Individuals' rights - Check that any procedures you have in place cover all the rights of individuals, including how personal data would be deleted or how data would be shared electronically and in a commonly used format.
- * Subject Access Requests - Update planned procedures to reflect how you will handle access requests within the new time-scale and how you will provide any additional requested information.
- * Lawful basis for processing personal data - You will have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request.
- * Consent - Determine how your organisation finds, records and manages an individual's consent. Do changes need to be made in line with the new GDPR standard?
- * Children - Think about whether systems need to be put in place to determine an individual's age and how parental or guardian consent would be obtained in order to process their data.
- * Data Breaches - Make sure you have the correct procedures in place to detect, report and investigate a personal data breach.
- * Data Protection by Design & Data Protection Impact Assessments(DPIAs) - Familiarise yourself with the ICO’s code of practice regarding Privacy Impact Assessment (PIA), guidance from Article 29 Working Party and when and how to implement them within your organisation.
- * Data Protection Officers - Designate someone within your organisation to take responsibility for data protection compliance. Consider appointing someone in the specific role of Data Protection Officer (DPO)?
- * International - If your organisation has establishments in more than one EU member state, you must determine and document your lead data protection supervisory authority.