Key Steps for GDPR
Making the key-decision makers within your business or organisation aware that GDPR is happening/happened is crucial, they need to acknowledge the impact this can have on several integral areas of the business. This may not be hard to realize in hindsight but preparation for GDPR is key and will make everything going forward a lot simpler and objectives much clearer. Information You should make note of all the personal data you hold, where it came from and who it is shared with (if anyone.) An audit would have been a great idea 6-9 weeks ago but GDPR means you will have to maintain these records and constantly monitor them so it’s still a good idea to get all your ducks in a row.
Reviewing your privacy notices and making necessary changes for implementation was essential for the GDPR deadline on May 25th When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. Now you will have to do more, including whom you share their data with and how long you retain it for.
The right to access –this means that individuals have the right to request access to their personal data and to ask how the company uses their data after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested. The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
The rights to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.
The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
You should update your procedures and plan how you will handle requests to take account of the new rules: • In most cases you will not be able to charge for complying with a request.
• You will have a month to comply, rather than the current 40 days.
• You can refuse or charge for requests that are manifestly unfounded or excessive.
• If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month. If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
Consent is a huge part of GDPR, there’s no more pre-ticked boxes, inactivity or silence to infer people want to opt in. They must give you consent in a freely give, informed and unambiguous manner. That means a positive opt-in is a MUST! You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
You should consider whether you are required to formally designate a Data Protection Officer (DPO). You must designate a DPO if you are:
• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.