Get ready for GDPR - May 2018
24/02/17 09:36
Get ready for GDPR - May 2018
The European wide General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016) will apply in the UK from 25th May 2018. Even though the UK has chosen to leave the EU, the new regulation will still commence. In the UK the GDPR will in essence be an enhancement of the UK Data Protection Act 1998 (DPA) and there will be new and different requirements. The aim of the regulation is to allow EU citizens to better control their personal data. It also modernises and unifies rules across the union taking into account recent technological development.
Companies affected by the GDPR are those that handle personal data and/or sensitive personal data. If your company hold information that falls within the DPA you can assume that it will also be within scope of the GDPR. The definition of personal data under GDPR is more detailed than that under the DPA. However, if you hold records of personnel records such as names, addresses, telephone number and payroll details, as well as customer lists it is almost certain that GDPR will apply. If you are in doubt whether GDPR applies to your company or not we recommend that you seek advice from your industry body or obtain legal advice.
With a little over a year to go until GDPR applies, if you haven’t started yet here are some tips to get your project moving:
If you get stuck in the process of getting started, roll out or implementation we are here to help:
Contact us to see how we can help:
RML House
12 Dunster Court
Borehamwood
Hertfordshire
WD6 1LF
Office +44 (0)208 2070 452
Help Line +44 (0)7775 900 333
info@risk-management-london.co.uk
The European wide General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016) will apply in the UK from 25th May 2018. Even though the UK has chosen to leave the EU, the new regulation will still commence. In the UK the GDPR will in essence be an enhancement of the UK Data Protection Act 1998 (DPA) and there will be new and different requirements. The aim of the regulation is to allow EU citizens to better control their personal data. It also modernises and unifies rules across the union taking into account recent technological development.
Companies affected by the GDPR are those that handle personal data and/or sensitive personal data. If your company hold information that falls within the DPA you can assume that it will also be within scope of the GDPR. The definition of personal data under GDPR is more detailed than that under the DPA. However, if you hold records of personnel records such as names, addresses, telephone number and payroll details, as well as customer lists it is almost certain that GDPR will apply. If you are in doubt whether GDPR applies to your company or not we recommend that you seek advice from your industry body or obtain legal advice.
With a little over a year to go until GDPR applies, if you haven’t started yet here are some tips to get your project moving:
- Carry out a data audit of all personal data, documenting what information is held, where it is held, how it was collected and the reason for collecting and holding the data.
- Note who has got access to the data and why they need access.
- Establish if you will need a Data Protection Officer (DPO). This will be required for organisations which process significant quantities of personal data as well as public authorities. In the regulation there are specific task and duties to be carried out by the DPO.
- Update existing documents and forms used for data collection, ensuring that the data subjects (the persons you are collected the data from) are clearly informed why the data is being collected, for what purpose and how long it will be stored for. The data subjects must have given their consent of opting-in and accepting your conditions for collecting and holding their data.
- Inform all staff about their new obligations before, during and after data collection.
- Draw up a procedure of what to do in the event of a breach detailing responsibilities and who will be in charge, who to contact and what to say. Data breaches, manipulation and destruction of data will need to be disclosed to the supervisory authority within 72 hours of the data controller being made aware.
- Prepare a flowchart of how data can be transferred or moved, should a data subject request their information to be moved to another controller.
- Ensure your data processing systems are secure to ensure confidentiality, integrity and availability of the information. Ie. data should be encrypted and reasonable care needs to be taken to ensure that the data is not accessed by anybody who has not got the necessary authorisation or access rights.
- Liaise with your industry body to see if they are going to issue a GDPR code of conduct which you may need to adhere to.
- Incorporate the new processes into your Enterprise Risk Management system. If your organisation does not explicitly have enterprise risk management in place, this is the perfect opportunity to launch a program.
If you get stuck in the process of getting started, roll out or implementation we are here to help:
Contact us to see how we can help:
Risk Management London
RML House
12 Dunster Court
Borehamwood
Hertfordshire
WD6 1LF
Office +44 (0)208 2070 452
Help Line +44 (0)7775 900 333
info@risk-management-london.co.uk