UK firms terrified of GDPR fines – here’s 12 steps to happiness

Monday, 12 February, 2018

The Information Commissioner’s Office (ICO) has released a 12-step programme to try to address the thorny issue of the European Union’s General Data Protection Regulations (GDPR).

The GDPR is due to become law on the 25 May and will replace the UK’s current Data Protection Act.

The rules bring in much more stringent regulations that, if they fail, could see companies fined up to €20 million, or up to 4% of total revenue.

What is it?

Every day, personal data on people like me and you is being collected, sold and passed on to third-party companies. This personal data could include your name and address, your mobile phone number, date of birth, your computer’s IP address, or anything else that could personally identify you.

People naturally want more control over what data they give out, and how their data is used with or without their consent.

That’s what GDPR is meant to do. In reality, this means that companies will have to be a lot more transparent about any personal data they hold on you, and give you the option to remove your personal data from their systems.

Problems for business

Compliance with the new regulations is not optional and will transform the cybersecurity landscape.

And while the laws are slightly different for small businesses with fewer than 250 staff, many still don’t know how the GDPR will affect them.

With that in mind the ICO has issued this checklist with a warning to firms that there are ‘new and significant enhancements’ when comparing GDPR with existing UK data laws.

There are 5.4 million businesses in the UK that employ fewer than 250 people. When it comes to data protection, surveys show they tend to be less prepared.

We know that most businesses want to get things right but often struggle to find the key steps to get started. They also have less time and money to invest in getting it right.

They may not have compliance teams or data protection officers or access to legal advice.

The businesses may be small but they still hold important personal information and the need to gain the trust of their customers is just as real.

- Elizabeth Denham: Information Commissioner, Information Commissioner's Office

12 steps to data paradise

Below are the 12 steps the ICO says businesses, charities and public organisations need to take now.

So, if you’re a manager or an employee it is worth raising this within your workplace to see how prepared your company is.

1. Awareness

You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

6. Legal basis for processing personal data

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out to document it.

7. Consent

You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.

8. Children

You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

9. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data protection by design

You should familiarise yourself now with the guidance the ICO produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

11. Data Protection Officers

Companies with more than 250 employees should designate a Data Protection Officer. This person will take responsibility for data protection compliance.

12. International

If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

TG Bamford author picture

By:

A veteran freelance journalist writing extensively on internet news and cybersecurity.

News What's the story?

Keep up with the latest developments in UK broadband.

KCOM buyout means more fibre for Yorkshire

Hull's homegrown ISP sells for more than half a billion.

KCOM buyout means more fibre for Yorkshire Read more

Virgin gigabit trials begin in Southampton

Nationwide gigabit takes a big step forwards with Virgin's new network upgrade.

Read more

Tesco customers get triple value with NOW TV

Get the most out of your Clubcard points with streaming discounts.

Read more

CityFibre bring full-fibre to 70,000 homes

Only 4.9 million to go...

Read more

Help Learn with us

Make the most of the internet with our broadband library.

What are the risks of using public WiFi?

What are the risks of using public WiFi? Read more

How to optimise WiFi connections in old buildings

Read more

How to choose a broadband provider you’ll be happy with

Read more
Back To Top