GDPR stands for General Data Protection Regulation, you may have heard this term mentioned a lot lately and this is because it is the biggest change to Data Protection since the Data Protection Directive of 1995 (EU) and following Data Protection Act of 1998 (UK Act of Parliament).
Businesses who hold or process ‘personal data’ are responsible for ensuring that they comply with the GDPR by the enforcement day of 25th May 2018. For businesses who already comply with the UK’s current data protection law many things will stay the same but GDPR brings new obligations too.
Heritage Accountancy Ltd has been preparing for a while and we wanted to write this article to try and simplify the process for our clients and provide basic information on how to prepare and achieve compliance for the GDPR.
All businesses will be looking at their internal policies and procedures and rewriting those elements relating to data protection in preparation for GDPR. Carrying out an internal audit of data and documenting everything as required by GDPR may sound onerous but we have broken the key requirements down into easy steps for you to follow;
The Information Commissioner’s Office (ICO) are responsible for the investigation and enforcement of non compliance of the GDPR. Many businesses are already registered with the ICO. If you hold or process data you should be registered with the ICO and for most businesses this costs £35 per year. By taking steps to register and understand your obligations under GDPR you are ensuring that you have taken the first step. The ICO have indicated that they will be more lenient on businesses who are making sure that they are aware and are taking steps to ensure compliance should they fall foul of the legislation.
2. Understanding Individual's Rights
There are eight clear individual rights around data processing and the collation of individual's data. These rights are:
Right to be Informed
Right to Object
Right of Access
Right to Rectification
Right to Erasure
Right to Data Portability
Right not to be subjected to a solely automated process - Rights in relation to automated decision making about an individual
Right to be provided with a lawful reason for Processing and Restrict Processing.
You should show an understanding of these rights and how they specifically apply to your business.
3. Privacy Notices
The current Data Protection Act requires privacy notices to be displayed to individuals which inform them how their data is being processed and why. GDPR makes this requirement bigger and demands greater transparency. Essentially you should have policies in place which mean that an individual is informed of the following;
The full identity of the Organisation collating their data (including the name and contact information of the ‘Data Controller’ or where applicable the Data Controller’s representative).
The purpose(s) for which the information will be processed.
Any further information about the controller and processing of the data which the individual should be aware.
This should be an informative notice which includes how long data will be held for an individual and their rights to access, you should include where their data is held and what the purpose of using their data is.
Many companies will add this to their Standard Terms and Conditions of Business.
4. Data Breaches
A requirement of GDPR is that you have a procedure for identifying data breaches. If a company loses data or experiences a theft or their information is hacked; this must be reported if there is any risk to people’s rights.
The report of a data breach must be no later than 72 hours after it has been identified.
If the risk to the people whose data has been compromised is high, then those people have to be informed of the breach in addition.
You need to ask for consent in order to record an individuals information. You have to keep records of the consent which you have received.
Ask for Consent
Managing Consent means that if the business's relationship with an individual changes then the purpose for which the data has been collected has changed. A policy must be in place to ensure that data is managed in the best interests of the individual.
An individual can withdraw their consent at any time and this must form part of the Managing Consent.
All businesses will have ‘legacy data’. Data collected before GDPR. You must communicate with these individuals and inform them that they are on your database, the reason they are there and ask their permission to remain on your database and for you to continue to communicate with them.
6. Data Audit
This is documentation of all data which your organisation holds. You should create this and include where the data is held, which third parties hold data on behalf of your organisation and therefore could have access and how is this managed. How long do you retain data and what the processes are around security of data. The data which you hold relates to your employees as well as your clients, prospective clients and previous clients.
By following the steps above and documenting the areas thoroughly you will be going a long way towards being GDPR compliant. Although we are not experts in this field we do have to ensure compliance for our business and simply wish to share our understanding of this new legislation which has an impact on our clients and colleagues too.
This information whilst an interpretation of legal information does not constitute legal advice. We recommend that you obtain advice specific to your business or organisation about GDPR to ensure compliance. This article has been developed as information in brief around an extremely in-depth and complex change to the Data Protection laws and therefore should not be relied on as complete or exhaustive of the measures which your business should take. While following the steps above will help you prepare simply checking boxes and reading information does not mean you are compliant. You should use the ICO website as a resource and meticulously work through the legislation ensuring that you comply so that your company complies.
Article: Jill Keeler (Director - Heritage Accountancy Ltd)