After over four long years of political processes, detailed discussions and business lobbying, the final text of the new EU General Data Protection Regulation (GDPR) rules was released in April 2016.
As nearly all businesses and other entities use some form of personal data – solicitors, charities, retailers, manufacturers, care homes and so on – this is a new law which will impact the majority of UK organisations, going beyond the Data Protection Act regulations.
The new EU GDPR rules – a brief summary
The new EU GDPR rules have been put forward to “to make Europe fit for the digital age” and, as such, any entity that holds or uses European personal data will be caught by EU GDPR, regardless of where in the world they are located.
The new EU GDPR rules come into law in 2018; however, organisations should start to take action now to review current business procedures and implement appropriate measures for improved data security.
The rules bring radical changes to how organisations process personal data, giving greater protection to the public and greater powers to authorities to take action against companies that breach the rules.
Data protection errors will now be far more expensive than ever before and breached companies that fail to comply with the new regulations can expect fines of up to 4% of annual global revenue.
12 things you should be doing now to prepare for EU GDPR
The Information Commissioner’s Office (ICO) has released a 12 step plan to help companies prepare for EU GDPR.
It is important you begin to prepare for the new EU GDPR rules before the regulation comes into law in 2018.
You need to determine your risks and take the necessary measures before the new GDPR rules come into force. This is a process that could easily take two years.
Here are 12 things the ICO recommends you should be doing now:
- Appoint a data protection officer
- Raise staff awareness of the new EU GDPR rules
- Implement procedures to detect, report and investigate data breaches
- Audit the information you hold (including its source and use)
- Review privacy information and implement appropriate changes
- Consider individual’s rights (including the right to be forgotten)
- Update subject access requests procedures
- Establish and document your legal basis for processing data
- Review consent mechanisms and implement appropriate changes
- Incorporate data protection by design and privacy impact assessments
- Update procedures for processing data about children
- Determine the data protection authority for international organisations
As you can see, for a number of organisations there will be a lot of work to do and only two years to get everything in order. Failing to do so could result in considerable fines and loss of reputation.
How we can help you
Our data protection experts have a great deal of experience in this area, working closely with businesses to implement information security management systems. If you are looking for help in this area, please get in touch with Charles Kavazy, Director of IT Services at Hawsons, on 0114 266 7141.