There is now only 6 months until the General Data Protection Regulation (GDPR) comes into force. If you are responsible for the personal data of EU residents, you only have this time left to ensure you are compliant. The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

 

GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR

But – Don’t panic!!                  

Becoming compliant doesn’t need to be over complicated, just create yourself a process that works and looks after your organisation. It’s crucial that consistency around data protection is achieved as so many businesses and individuals trade with different countries and not just at home.

The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information, or just your IP address. Hardly any personal data will not fall under the GDPR, making it difficult for organisations to avoid having to comply with its requirements, so being prepared is vital.

Exactly like the Data Protection Act (DPA), the GDPR does not apply to people who are processing personal data during their own personal or household activity.  So just because you keep your family address list in excel, this does not mean that you fall under the scope of the GDPR. But if you act outside of that definition, for example – you start selling hand-made craft items in your local Facebook group as a sole trader working from home, as soon as you begin undertaking commercial activities, you are highly likely to come under the scope of the Regulation and in fact the GDPR contains a definition of an “enterprise” within Article 4(18) as any legal entity engaged in economic activity.

For most organisations, keeping HR records, customer lists, or contact details etc, as part of the DPA, the change to the definition should make little practical difference.

 

Did you know that there is an accountability principle?

The introduction of the accountability principle in Article 5(2) requires companies to:

*Be responsible for, and can demonstrate compliance with*

the principles of the General Data Protection Regulation.

So, what do you need to do?

Make people aware - You should make sure that any decision makers and key people in your organisation are aware that the law is changing to the GDPR.

Designate somebody to look after and take responsibility for the data protection compliance within your business. It is important that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.

Check information - You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, so you fully understand the information you collect or hold, and then you should document this

Make sure your privacy policy is in place, or implement a privacy policy if you don’t already have one.

Check that your procedures cover an individual’s rights, no different to the DPA (Data Protection act). Also check your procedure to see if they need to be amended to take into the account the new rules. Check that you are processing personal data under a lawful basis, the rules change under GDPR

Review how you collect data – do you have the owner’s consent to collect it? How do you identify the age of the individual, how do you obtain parental consent etc?

Make sure you have procedures in place to detect and investigate a personal data breach, and then to report it. Read up on I and how you need to report a breach.

 

How to demonstrate accountability under the GDPR

To demonstrate accountability, your organisation will need to:

Keep up-to-date documentation of processing activities;

Appoint a data protection officer (DPO) if appropriate, check with up to date news which can be found on the Information Commissioners website 

Implement measures to meet the principles of data protection by design and by default;

Implement appropriate technical and organisational measures (policies and procedures) to ensure and demonstrate compliance; and

Conduct data protection impact assessments (DPIAs) where appropriate

There is a huge amount of information available, just don’t leave it until the last minute and get caught out on the back foot.