New European law - General Data Protection Regulation (GDPR)

February 01, 2018

IMPORTANT NOTICE: New EU laws to protect member data are wide ranging and will affect your business

The lawmakers in the European Union have had enough.

Large firms reckless approach to security of data is going to be punished by massive fines of up to €20 million - but that means every other business is getting swept up in the storm

While the lawmakers take on the multi-nationals, to force them to wake up to the slack standards they've used for securing consumer data, we have to prepare for the fallout

Is it the end of massive breaches of consumer data - like Sony, Equifax, Yahoo and others ?

While that is a good thing, fines from the General Data Protection Regulations are not just about breaches of data, but about your system for prevention and how you communicate your use of consumer data

It clarifies the rights consumers have on their data and empowers them to take control over it

You should review your Privacy Policy and update it to reflect these clarifications before May 25th 2018

 Start here:

New European law - General Data Protection Regulation (GDPR)

 12 Steps to GDPR compliance

  1. Awareness – organisations should be acting now to ensure they are GDPR compliant by 25 May 2018. There is less than one year to go and implementation of the GDPR within an organisation could involve significant resources and planning – it's never too early to be prepared!!
  2. Information you hold – the GDPR requires organisations to maintain records of all processing activities and the legal bases for processing such data. It is important for organisations to review the data you have, where this came from, how long you have had it and the legal basis for processing.
  3. Communicating privacy information – organisations should review their privacy notices and put a plan in place to make the necessary amendments to ensure GDPR compliance. The ICO has developed a code of practice for Privacy notices which organisations can use to ensure GDPR compliance.
  4. Individuals rights – The ICO has updated the 12 steps to reflect the additional rights individuals will have under the GDPR:
  • right to be informed;
  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restrict processing;
  • right to data portability;
  • right to object; and
  • right not to be subject to automated decision making and profiling.

The right to data portability is new and only applies to personal data an individual has provided to a controller where the processing was based on consent or performance of a contract and processing is carried out by automated means. You will need to provide information in a commonly used machine readable form, free of charge.

  1. Subject access requests – organisations should update policies and procedures in place to deal with subject access requests to ensure you can comply within the new one month deadline.
  2. Lawful basis for processing personal data – organisations must review the legal bases used for processing personal data to ensure this is still relevant and will be GDPR compliant.
  3. Consent – Where your organisation relies on consent, you should read the ICO guidance, as this legal basis is undergoing the most change under GDPR.
  4. Children – under the GDPR, for the first time, children's personal data will be specially protected where organisations are offering information society services directly to children. Organisations should ensure they have processes and mechanisms in place to verify the age of users and seek parental consent for children under 13 (in the UK).
  5. Data breaches – in certain circumstances organisations will only have 72 hours from discovery of a breach to notify the relevant data protection authority of the breach. Organisations will also have the obligation, in certain circumstances, to notify data subjects directly if the data breach is likely to result in high risk to their personal data.
  6. Data protection by design and data protection impact assessments – PIA's will be required where processing is likely to result in high risk to individuals, e.g. where rolling out new technology, where profiling occurs or where processing is conducted on a large scale. The ICO and the Article 29 Working Party have released guidance on this issue.
  7. Data Protection Officers (DPO's) – organisations should evaluate whether they require to appoint a DPO under the GDPR. If you would like more information on this, please read our blog or read the Article 29 Working Party guidance.
  8. International – where your organisation operates in more than one member state, you should identify the lead supervisory authority. For more information, please see the Article 29 Working Party guidance.

Next Steps

If your site has Eurpoean members and you have not addressed the 12 steps detailed above, you should start preparing now