May 2018, GDPR: Are you prepared? Pt.1
If the title of this blog has confused you, then the answer is probably no. As of May 25th, 2018, GDPR (General Data Protection Regulation) comes into effect. It is an extension of the Data Protection Act 1998 (DPA), which was a piece of legislation designed to protect an individual’s data that was stored on a computer. You can find some basic information on DPA here.
We’ve also produced a short blog on the key highlights of the DPA, which you can find here.
By this point, you should be compliant with DPA. If you’re not, then you’re going to have a lot more work to do before May 2018 comes around. If you are compliant with DPA then you’ve got a good starting point for the new regulations that GDPR will bring in.
So, what is GDPR? At a very basic level, it gives individuals more say over what happens to their data. It also introduces much higher fines for companies that breach data protection laws. It’s very difficult to define the specifics within a sentence or two, so we’re going to bring a few of the key points to you in this blog that you need to consider and plan for.
Keep an eye out for the second part of this blog. We don’t want to overload you by cramming it all into one place!
How do you store the information you hold?
To start, it’s important to understand how GDPR effects the information you currently have. You need to be able to know exactly what personal data you have, how you got it, and who you may have shared it with.
If you’re struggling with any parts of that, then you need to run an information audit for your entire company. An information audit is where you gather every piece of personal data that you have. You then identify the ways you use and share that information.
This is necessary as GDPR requires you to maintain accurate records of all personal data you hold, both for customers and employees.
You are also not allowed to share inaccurate information with another company or organisation. So, to pass the new rules, you’ll need strict documenting procedures for all personal data. If you do all of this, then you should be in-line with GDPR’s accountability rules.
The new accountability rules mean that you have to be able to show how you are complying with data protection laws by demonstrating your internal procedures and policies.
You’ll also need to clearly show how long you hold on to data before you remove it from your system. Finally, you have to tell people that they have the right to complain to the ICO (information commissioner’s office) if they think there is a problem with the way you’re using their data.
For more in-depth information, take a look at the ICO’s guide on privacy notices.
This first blog has probably given you a lot to mull over! Make sure to read the resources that we’ve provided you with. They will give you a good basis to start making changes within your organisation.
Feel free to tweet us (@weareredpepper) if you have any questions. Keep an eye out for the next GDPR blog, which should be landing in the next few days.