#1 Preparation
New rules relating to how we collect and process personal data - the EU General Data Protection Regulation (GDPR) - will come into effect in the UK from 25 May 2018.
What is GDPR? The GDPR is Europe's new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon.
The new regulation starts on 25 May 2018. It will be enforced by the Information Commissioner's Office (ICO).
The Government has confirmed that the UK's decision to leave the European Union will not alter this.
|
What do I have to do now? Many of the GDPR's main concepts and principles are much the same as those in the current Data Protection Act (DPA). If you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.
|
#2 Achieving Compliance
- Under GDPR, companies need to demonstrate a "lawful basis" for using personal data. Identification of a legitimate interest involves three key tests: Why is the data needed? Could it be done another way? Does the individual's rights override a data-controller's legitimate interest?
- Companies should map out what data they collect, how it is collected and stored, what it is used for, who has access to it; is the data shared or sent cross-border? They may also need to update their privacy policy to make it clearer to customers how their data is held or used.
- Under GDPR, it is mandatory to report data breaches within 72 hours of becoming aware of it./li>
- GDPR does not explicitly state that you must appoint a DPO. But if you process "sensitive" personal data on a large scale, then you may need to appoint one ("large scale" does not necessarily mean hundreds of thousands of data subjects).
- Personal data must be kept up to date. Inaccurate or outdated payroll data should be deleted or amended.
|
- Size doesn't matter: Whether you’re a one-person operation or a larger-scale operation, GDPR affects anyone or any organisation that processes personal data.
- Hefty fines imposed for data breaches: Penalties for data breaches (fines of up to €20 million, or 4% of annual turnover, whichever is higher) are more far ranging under GDPR than under the Data Protection Act it supersedes.
- Data privacy should be incorporated by design. Make sure you are not capturing more data than you need to process the subject in hand.
- GDPR will not put an end to high-profile data breaches. It should, however, make organisations, like payroll companies, or anyone that handles personal information, focus more on avoiding them. It should also make it easier for people to find out more quickly when data breaches occur.
|
