GDPR; ALL YOU NEED TO KNOW
The General Data Protection Regulation (GDPR) Coming into force on 25th May 2018, The General Data Protection Regulation (GDPR) is a ruling being executed by the EU regarding how data is being used. The aim of the new legislation is to give greater protection and rights to individuals regarding how their personal information is being handled – there will be changes on how businesses and bodies process and handle that data.
There is no opt out – there is not a company operating which does not handle data relating to individuals. An individual’s consent must be freely given, and the organisation’s request for consent should be clear.
If consent is not clear and distinguishable – individuals also have the right to withdraw their data at any time - penalties can reach up to 4% of annual global turnover or €20million (whichever is greater). Fines of 2% of annual global turnover can also be imposed when not having the records in order.
Key things to know
The new legislation will replace the current Data Protection Act (DPA) and significantly changes and updates the way personal data is protected.
What you need to know:
Data breaches must be notified to the Information Commissioner (ICO) within 72 hours – you must also notify any individuals affected.
You must be open about what data is being collected and how it is being used, privacy policies will need to be updated.
Right to be forgotten
Individuals can require businesses to erase their personal data – it’s important you understand your obligations and how to reply to such requests.
Consent must be both clear and distinguishable and easy to give and withdraw. Whilst not all personal data needs consent, if a business relies on it then the consent needs to be reviewed - ultimately, consent will be harder to obtain and maintain under GDPR.
It’s important that businesses make sure that their supply chain is compliant – if a supplier, such as a second-tier agency, umbrella or accountancy provider, breaches the rules, this could put you at financial and reputational risk.
Essentially, the GDPR changes the current legal basis which are used to justify collecting and processing personal data. There will be stricter requirements for consent – it must be accessible, distinguishable and easy for the individual to withdraw.
The relationship between the parties who share data will become heavily regulated. If data is shared between the supply chain, there will need be to be an agreement in place that ensures it is compliant with GDPR. It’s important to understand the risk to avoid exposure to financial and reputation risk.
There is also a new right of data portability, this allows individuals to request the moving of their data.
Organisations will need to make sure they implement security which will be ‘appropriate to the risk’. Appropriate measures could include data encryption, data integrity, storage, and retrieval and security testing. This may mean that an organisation’s internal processes need to be reviewed and changed.
What you need to do
Organisations need to be prepared, so we would suggest you do the following:
assess the impact for your business
make sure staff, at all levels, are trained
identify and review who you are sharing personal data with
identify where you are acting as a data processor
be prepared to respond to individual requests
consider 'privacy by design' concept
assess the current level of security
ensure your supply chain is compliant
consider appointing a Data Protection Officer (DPO) – you must appoint one if you are a public authority (except for courts acting in their judicial capacity), carry out large scale systematic monitoring of individuals (for example, online behaviour tracking), or carry out large scale processing of special categories of data or data relating to criminal convictions and offences
About giant group
At giant group, we provide a full range of compliance driven global workforce management solutions using unrivalled cloud-based technology and smart managed services.
For over 25 years, our watchword has been compliance. We take security very seriously. Our adherence to the rigorous international security standard ISO27001 ensures that sensitive data is protected and GDPR-compliant, protecting our clients from financial and reputational risk (we also adhere to ISO9001 and ISO14001).
Please call us on 0330 024 0946 or email us at firstname.lastname@example.org. You can also visit us at www.giantgroup.com.