An update from Paul Mc, MIA
I have spent time this week with GDPR legal experts in order to bring you all (hopefully) some sensible advice as to how you all prepare for the new legislation that comes into effect on May 25th 2018.
I know that you all have far more important things to do (like running a business!), but there is stuff here that you need to be doing before May….
The new rules are not a huge change from existing legislation but there are heightened expectations for a business in respect of their ACCOUNTABILITY in relation to processing and managing personal data (with substantially increased fines being announced).
Businesses involved with personal data will be expected to be able to DEMONSTRATE policies and assessments that protect data and use it appropriately.
Things to consider:
- Personal data is the means by which an individual can be “identified”. This is not just a name, but can also relate to phone numbers and addresses.
- All businesses are recommended to conduct a Data Protection Impact Assessment (and document this). This should consider a map of the data you hold, where it is stored, how you process it and who it is shared with and the risks of data breach. Plus, why you hold it and when you delete it.
- All businesses are recommended to appoint a Data Protection Officer (DPO).
- In relation to a Data Breach, do you have a policy? Have you identified the risk to the individuals that would be affected? Speedy notification of a breach to both individuals and the ICO Information Commissioners Office are now major considerations/requirements.
- Subject Access Requests – the rights of individuals to see their data that you hold. People and staff will have more “rights” going forward.
- The Right to Erasure a.k.a. the Right to be Forgotten. Not an absolute “right”, but more on this will emerge.
- ICO registration, many more companies will need to register (thankfully the fees will be removed going forward) and this will depend on the data you hold and the risk it could pose. Once you have done your Assessment, contact ICO office to discuss.
- Third Parties who use and work with your data….what sort of Data Protection Contract do you have with them?
- Is you server/cloud data actually in the EU or outside (if outside, you are technically exporting data)…worth checking!
- Websites and all communications platforms will all need looking at with respect to privacy statements, company details, complaint procedures etc
- As a general rule, communications will require explicit opt-in permission from the individual and an opt-out option. (even old consents will need to be revisited).
There is naturally a huge amount more detail, but 11 points for now to get you thinking…
For all MIA members, we have some useful documents that will help you to get ready and we are also looking at a half day training course before November if that would be of interest?
Contact firstname.lastname@example.org or call 01403 800500