News

9
Feb
  • Craig Forsyth
The time to prepare is now!

On the 25th May 2018, the EU General Data Protection Regulation comes into force. That might seem like a long time, but that’s just over 100 days away at the time of writing. In addition, GDPR was already adopted back in April 2016, May 2018 is the end of the 2-year grace period.

The GDPR brings with it a whole host of changes, and the penalties for non-compliance are higher than ever, either 4% of your annual turnover or £20 million, whichever is higher. But how do you prepare? What do you need to change first? Where do you even start?

Fortunately, the reality of GDPR isn’t exactly the apocalyptic scenario that many observers in the legal industry are viewing it as. You won’t lose all your clients and you won’t have to ask them all if you can still use their data. GDPR is simply a method of bringing the outdated 1998 UK Data Protection Act into the modern age, considering the advances in information technology that have so radically changed the face of data in the 21st century.

So what are the key things that you need to be aware of for GDPR? What should you be looking at as a priority to be prepared for the 25th May? We’ve compiled a list of the top 5 major changes brought in by the GDPR that business professionals need to make themselves aware of today.

Privacy by design

With GDPR, both Data Controllers and Data Processors must think about data privacy and protection from the very beginning of any process. This method of thinking ensures that user data is protected every step of the way and all levels within an organisation are responsible for data privacy.

Direct obligations for processors and more obligations for processors

With the Data Protection Act 1998, a common excuse given to avoid fines was to say that your organisation was not a data controller, but in fact a data processor. This was because data processors had fewer responsibilities than controllers. With GDPR, both controllers and processors are responsible for data security and equally accountable for data breaches. No excuses!

72 hour breach notification

Once a data breach is detected, under the Data Protection Act there is no legal obligation for data controllers to report breaches. Under the GDPR, all data breaches must be reported within 72 hours of becoming aware of the breach, without undue delay and where feasible. Notifications made after 72 hours must be accompanied by reasons for the delay.

Stronger data subjects rights

While the DPA 1998 gives subjects many rights, such as the right to access the information held on them and the right to prevent processing for direct marketing; GDPR significantly expands these rights. Data subjects now have the right to portability, which requires any information requests to be provided in an easily portable form such as a memory stick, as well as existing rights such as the right to be forgotten and right of access being increased in scope.

Mandatory Data Protection Officer

This may only apply to larger organisations, but it’s still worth noting. Large businesses that handles large amounts of data must appoint a Data Protection Officer (DPO) to oversee all data usage throughout the organisation. The DPO must have expert knowledge of data protection law, report to the highest level of management and have the power to act independently.

Tackling the GDPR can be daunting, especially with the knowledge that it will have a huge impact on how your company handles data. Old processes will need to be completely replaced and compliance will take a concerted effort.

If you’re looking for guidance, you can also visit the Information Commissioner’s Office (ICO) online, where they have published a handy guide to GDPR preparation

The Centre for Assessment also provides expert GDPR workshops, both in-house and classroom. You can find more about these courses by clicking here

However, if you choose to start your preparations for the GDPR, it’s important that you start as soon as possible. The sooner you can begin to demonstrate compliance, the easier it will be to continue conducting business as normal after the 25th May 2018.