After a great deal of preparation, today on 25 May 2018, the new EU General Data Protection Regulation (GDPR) comes into force across the European Union. Earlier this week, the Data Protection Act 2018, which enshrines the new EU GDPR into UK law, received royal assent, encouraging the free flow of data between the EU and the UK post Brexit.
These pieces of legislation introduce higher standards in regards to the processing of personal data and is designed to bring data protection laws across Europe up to date to better reflect the digital world that we now live in, harmonise laws in this area to better support trade and increase individual right to their personal data.
These Data Protection Laws will effect most organisations that processes personal data. Organisations must ensure that they are compliant with the new GDPR. The legislation introduces significant reforms to the data protection landscape in Europe. Organisations that fail to prepare for these changes could be liable for penalties of up to the greater of 4% of turnover or €20 million.
If your organisation has not yet taken steps to comply with the new GDPR, do not panic! However, we would advise that you do not delay your compliance project any further. In approaching your GDPR compliance project, you may wish to consider the following, which generally reflects ICO guidance:
Get management engagement
Becoming GDPR compliant could involve a significant commitment and culture change for your organisation. It is important that top levels of management know this and you discuss strategy with them at the start of the project.
Raise awareness
Training for those involved in data processing in your organisation is a key part of GDPR compliance. Cover GDPR standards generally and the practical impact GDPR will have on the organisation.
Appoint GDPR resource
Check if your organisation needs a Data Protection Officer as soon as possible. This can be an external or internal appointment. Also, set up a core internal or external GDPR team representing key operational business areas to manage the compliance project.
Carry out a data audit
Mapping the data flows in and out your organisation will give you a useful insight into relevant data protection issues and form the basis for the next steps.
Identify the gaps and make a plan
Using the output for the data audit, identify areas of non-compliance and prepare a Treatment Plan together with implementation timescales.
Execution
Explain the plan and timescales to key personnel in the organisation so they can allocate resources for successful implementation. What each organisation requires to do will depend on the processing activity of each organisation however it will generally involve reviewing and updating privacy notices, reviewing organisational and technical measures, reviewing marketing practices, updating outsourcing arrangements and data sharing processes etc.
Stay compliant
Once the GDPR requirements have been met, you need to put in place an ongoing compliance programme and monitor it. This may include regular training sessions, privacy impact assessments for new products or systems, regular reporting to the Board and data audits.
At Thorntons, our Data Protection and Information Security team can help you with advice and practical support on preparing for GDPR and ensuring ongoing compliance. We offer GDPR training, data audit and gap analysis services to identify the key issues for your organisation, and comprehensive support in meeting the requirements of GDPR, as well as providing Data Protection Officer Services.
Call us on 01382 229111 for advice and help on GDPR requirements and implementation, or complete our online enquiry form.
