How to prepare for the EU’s General Data Protection Regulation (GDPR)
For anyone that runs their own business, particularly online, you will be aware of the level of protection involved in gathering, using and storing customer’s personal data. Robust website terms and conditions, cookie policies and privacy policies are all integral documents for the successful operation of your company.
New EU General Data Protection Regulation (GDPR) coming into effect from 25 May is set to supersede the current UK Data Protection Act 1988. This revised approach is said to bring a modern approach to protecting data, expanding individual rights on how they can control the way their personal information is both collected and processed.
What does this mean for my business?
As with any changes to regulation, it’s integral to understand how they might affect the way your business operates. Essentially though, these new changes put more onus on businesses for their accountability, in terms of protecting customer data and demanding greater transparency. The revised guidelines continue to act as a force to protect EU citizens.
What data do they mean?
Data is any information that may directly or indirectly identify a personal. This can include but is not limited to: name, age, address (postal and email), photo, location data, IP Address, cookies and website analytics.
However, the new guidelines place greater emphasis on some of the more personal data that may be collected, this can include: religion, sexual orientation, ethnicity, health data, genetic data.
What if I’m unable to comply?
The GDPR compliance is a mandatory requirement, and hefty fines can be imposed on business that are non-compliant, so it is advised to familiarise yourself with the guidelines.
What can I do to act now?
The new derivative sets out 12 steps that businesses can take out, these are, in brief:
Awareness: sharing the GDPR changes with colleagues
Information you hold: best practice on documenting information held
Communicating privacy information: reviewing current privacy notices
Individual’s rights: operating within the legal rights of data subjects
Subject access requests: updating your procedures
Lawful processing: demonstrating consent and legitimate interests
Valid consent: transparency and less ambiguity when requiring personal data
Children: introduction of safeguarding children (under 16) online and consent required from adults
Data breaches: adequate safeguarding and reporting structures
Data protection by design and default: ensuring collected data is safeguarded appropriately
Data protection officer: mandatory appointment of a responsible data protection officer within your organisation
International: ensuring cross-border processing is managed
How can I ensure I’m meeting these new standards?
A common-sense approach is always recommended. The GDPR is about ensuring appropriate policies and procedures are in place. It’s about offering transparency and accountability to individuals, while protecting their rights and building a workplace culture of respect towards personal data.
You can find out more information on the GDPR changes here.