In May 2018, the UK will implement the General Data Protection Regulation (GDPR) which was created to strengthen and unify data protection for individuals in the European Union.
The Information Commissioner’s Office (ICO) is responsible for the Data Protection Act 1998 and Freedom of Information in the UK. The ICO recommends 12 steps businesses should take before May 2018 in order to help businesses prepare for compliance with the GDPR in 2018.
- Awareness: Inform all decision makers in your organisation that the law is changing and the GDPR will be effective in May 2018.
- Information audit: Document where all personal data is derived from and with whom it is shared with.
- Communicate private information: Privacy notices should be reviewed to ensure any necessary changes are made before the GDPR is implemented in May. For example:
— Provide consumers with your legal basis for processing the data.
— State data retention periods.
— State that consumers have a right to complain to the ICO.
- Individuals’ rights: All procedures should be checked to ensure that they cover all rights under the GDPR that individuals have, for example how personal data will be handled, disclosed and deleted.
- Subject access requests: Policies and procedures should be updated to prepare for handling requests within the new GDPR one month deadline.
- Legal basis for processing personal data: Organisations should understand the types of data processing they’re carrying out and document the legal basis for each.
- Consent: Consent must be freely given, specific, informed and unambiguous. It must be given by positive indication with no more inference by silence.
- Children: The GDPR will provide special protection for children’s personal data, particularly when used for social networking platforms.
— ICO indicates that the UK will likely legislate to provide that anyone under 13 is a child.
— Organisations should prepare systems to verify individuals’ ages or gain parental/guardian consent.
- Data Breaches: The GDPR will introduce a duty to notify the ICO of certain types of breaches (usually where individuals are likely to suffer financial consequences).
— Measures should be enforced to detect, report and investigate personal data breaches.
- Data protection by design and Data protection impact assessments: In light of the GDPR changes, organisations should:
— Adopt a privacy by design and data minimisation approach to all data processing, familiarise themselves with the ICO’s guidance on privacy impact assessments (PIA’s), assess situations which will require a PIA and determine who will conduct it.
- Data Protection Officers: Larger organisations should consider appointing a Data Protection officer. This person must ensure that data processing is dealt with regularly and adequately.
- International: An organisation operating on an international level should determine which data protection supervisory authority applies to them.
The information in this blog post is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from JAG Shaw Baker or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter.