The Information Commissioner’s Office (ICO) has released a 12-step programme to try to address the thorny issue of the European Union’s General Data Protection Regulations (GDPR).
The GDPR is due to become law on the 25 May and will replace the UK’s current Data Protection Act.
The rules bring in much more stringent regulations that, if they fail, could see companies fined up to €20 million, or up to 4% of total revenue.
What is it?
Every day, personal data on people like me and you is being collected, sold and passed on to third-party companies. This personal data could include your name and address, your mobile phone number, date of birth, your computer’s IP address, or anything else that could personally identify you.
People naturally want more control over what data they give out, and how their data is used with or without their consent.
That’s what GDPR is meant to do. In reality, this means that companies will have to be a lot more transparent about any personal data they hold on you, and give you the option to remove your personal data from their systems.
Problems for business
Compliance with the new regulations is not optional and will transform the cybersecurity landscape.
And while the laws are slightly different for small businesses with fewer than 250 staff, many still don’t know how the GDPR will affect them.
With that in mind the ICO has issued this checklist with a warning to firms that there are ‘new and significant enhancements’ when comparing GDPR with existing UK data laws.
There are 5.4 million businesses in the UK that employ fewer than 250 people. When it comes to data protection, surveys show they tend to be less prepared.
We know that most businesses want to get things right but often struggle to find the key steps to get started. They also have less time and money to invest in getting it right.
They may not have compliance teams or data protection officers or access to legal advice.
The businesses may be small but they still hold important personal information and the need to gain the trust of their customers is just as real.- Elizabeth Denham: Information Commissioner, Information Commissioner's Office
12 steps to data paradise
Below are the 12 steps the ICO says businesses, charities and public organisations need to take now.
So, if you’re a manager or an employee it is worth raising this within your workplace to see how prepared your company is.
You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2. Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3. Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4. Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6. Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out to document it.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
9. Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data protection by design
You should familiarise yourself now with the guidance the ICO produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11. Data Protection Officers
Companies with more than 250 employees should designate a Data Protection Officer. This person will take responsibility for data protection compliance.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.