From next spring the way we collect and handle data is changing, with tough new penalties for companies that fail to comply. Carolyn Rossiter, Partner at Moore Stephens accountants, explains the changes and what you need to do
Personal data has been a topic of discussion over the last few years and no matter what industry you work in, you will have come across how data is changing the face of the world, at a rapid rate! In April 2016 the General Data Protection Regulation (GDPR) was ratified by the European Union and comes into effect on the 25th May 2018. The aim is to give citizens more control over their personal data (defined as ‘any information relating to a person who can be identified directly or indirectly’) and ensure rules relating to data protection are consistently applied.
DATA PROTECTION ACT VS GDPR
GPDR will replace what was formerly known as the Data Protection Act, but GDPR will not be an identical replacement. Here are the differences. As you can see, GDPR introduces new mandatory regulations and there are substantial increases in fines for noncompliance. On the consumer side, individuals will have more rights, not only with the right to erasure, but also in dictating how their data can be used, especially if it is no longer necessary to hold the data.
NEXT STEPS TO COMPLY
- Ensure your organisation is fully aware of the changes and has given due consideration to the impact of the new legislation.
- Review the personal data you currently hold. Where did it come from? Who do you share this with? This should be documented in advance of the GDPR enforcement date. An information audit may be needed.
- Review your current privacy notices and ensure any necessary changes are planned in advance of the enforcement date.
- Check procedures to ensure they cover all the rights of individuals. Include how you would delete personal data or provide data to individuals electronically and in a commonly used format.
- Update procedures to explain how you plan to handle subject access requests within the new timescales, meet GDPR demands and provide additional information.
- Review the types of data processing you do, identify the legal basis for carrying it out and document this accordingly.
- Review how you currently seek, obtain and record consent from your customers. Consider if changes need to be made.
- Start thinking about putting new systems in place to verify the age of individuals and to gather parental or guardian consent for data processing activities.