GDPR is ages away, right? Not quite.
The General Data Protection Regulation (GDPR) is the new legal framework for data protection laws, and is coming into force on the 25th of May, 2018.
If this is the first time you’re hearing about the GDPR, head over to our post introducing you to the basics.
Non-compliance can have consequences, so here’s 5 steps you can take today to get your business closer to GDPR compliance.
1) Spread the Word
Decision makers and leading members of your business must be aware of the General Data Protection Regulation. It is vital they anticipate the GDPR’s impact and identify areas with the potential to cause compliance issues.
For larger and more complex organisations, GDPR could have significant resource implications. If your preparations are last-minute, then becoming compliant may be more challenging than necessary.
2) Refresh Your Information Practices
Record the personal data you hold, because under the GDPR it will be vital to know exactly where it came from and who you have shared it with.
The GDPR requires you to maintain records of your processing activities. If you’ve shared inaccurate information with another company, then it will be your responsibility to contact the organisation in question and correct the mistake.
The information you supply people with in privacy notices will also change. For instance, you will have to explain your lawful basis for processing the data, and state how long you store data. You will also need to make it clear that if they think there is a problem with how you are handling their data they have the right to complain to the ICO.
3) Know the Individual’s Rights
These rights are mostly the same as the ones under the Data Protection Act. The only new right is the “right to data portability”, and only applies:
- To personal data an individual has supplied to a controller
- Where data processing is based on the individual’s consent or for the performance of a contract
- When automated means carry out the processing
For a more in depth review, sign up for our GDPR newsletter and be the first to hear about our GDPR-related blog posts, including “The Low Down on Individual Rights”.
4) Review How You Manage Consent
Have a look at how you currently obtain, record and manage consent and if you need to make adjustments.
Consent must be:
- Given freely
- Specific
- Informed and unambiguous
You must provide a positive opt-in separate from other terms and conditions. Also, you will need to have simple ways for people to withdraw consent.
Perhaps most importantly, this consent must be verifiable. Your records must show that the consent given fulfilled all of the above criteria. If someone challenges your practices then the emphasis will be on you to prove you did everything right.
For the first time the GDPR will introduce special protection for children’s personal data, especially in the context of commercial internet services. From the age of 16, a child will be able to consent to their data being processed. If your organisation offers online services to children and relies on their consent to collect their information, then a parent or guardian may need to consent to their child’s personal data being processed.
5) Don’t Leave Anything to Chance
It can be hard to see which areas of your business need tweaking in the wake of the GDPR.
Get a fresh pair of eyes to look over your business practices. Mackman are offering a selection of related GDPR services with a health check our specialists will review your website and produce a comprehensive report of recommendations including website health checks and workshops to get you going on the road to GDPR compliance.
Alternatively, you can contact Mackman on 01787 388038 or email the team at customerservice@mackmangroup.co.uk