The General Data Protection Regulation (GDPR), with its threat of huge fines of up to 4% of annual global turnover or €20m, came in on 25 May. But one survey suggests that 85% of EU and US companies won’t meet compliance, while 26% will remain non-compliant at 2018’s end. Are you compliant with GDPR? Read our essential GDPR checklist to find out.
Changes to the law
If you are not sure there is a goldmine of free information and advice on the Information Commissioner’s Office (ICO) website. First, you need to know how GDPR differs from the old Data Protection Act (DPA):
- Coverage: GDPR applies to all businesses processing EU-based personal data, not just European ones. This includes both controllers and processors, so a call centre collecting data is as liable for inappropriate use or storage as its employer, and clouds aren’t exempt!
- Consent: simple terms must be used to seek consent and it must be clear why data is being sought and how it will be shared. Consent must be active (no pre-ticked boxes) and will only apply in the stated instances. It must be as easy to opt out as in.
- Subject rights: if requested, a subject’s data must be provided within one month for free rather than 40 days, in a format allowing easy transfer. If consent is withdrawn, or the processing purpose changes, they must be forgotten.
- Breaches: these must be reported within 72 hours of discovery, with possible consequences. Data Protection Officers (DPO) must provide their contact details and a summary of actions being taken. Affected subjects can demand compensation.
- Responsibilities: data protection must be an integral part of system design. Companies must use data only when necessary and limit access. It must be kept accurate, secure, and processed responsibly.
- DPOs: processing was regulated according to local law. A DPO with expert knowledge (and no conflict of interests) isn’t essential for all companies, but is a good idea, so that you have one person in charge of dealing with compliance.
Avoiding a fine
Remember, the ICO isn’t out to get you. Elizabeth Denham, head of the ICO, explains, “The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime. Do they have a commitment to the regime? We’re not going to be looking at perfection, we’re going to be looking for commitment.”
She stresses that the maximum fines will only apply where there is evidence of “serious, sustained harm to individuals” or refusal to comply. So, if you aren’t ready, don’t panic. There’s no need to spend a fortune getting advice on how to comply, ask the ICO for help. Remember, establishing legal grounds for using data is half the battle.
Document everything as you go along, as this can act as proof that you took GDPR and data protection seriously. Your documentation should include any changes you’ve made to data storage; any changes made to consent forms online, as well as terms and conditions; and any information you have on why you’re allowed to contact customers, and whether you’re relying on consent or not. >>Read more