GDPR Is Coming 25th May 2018

GDPR is coming 25th May 2018. Here is our mini guide to what GDPR is and what it means for organisations, small and large:

What is GDPR?

The General Data Protection Regulation (GDPR) becomes law in May and is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy.

The GDPR makes it considerably easier for citizens to bring claims against companies when data privacy is infringed.

If organisations fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.

The regulations are law and apply to all organisations – businesses, public bodies, charities, sporting organisations.

So What Do You Need to Do?

1. Review Your Data

Your organisation will have to look at how it manages, prepares, secures and harnesses data and content from different sources. First things first you’ll need to know your data – what is it, where is it coming from, is it personal data, sensitive data, where you share this data and how you’re using it. You may have to change where you store data as well as how it is handled internally.

2. Demonstrate Consent

You’ll also need to be able to demonstrate that consent to processing personal data is clear, specific and explicit. For this reason, you should avoid relying on consent unless absolutely necessary.
For GDPR you'll need to be able to demonstrate that consent to processing personal data is clear, specific and explicit. Click To Tweet

#3. Check Security

Next examine your security measures and policies to make sure these are GDPR-compliant. If you don’t currently have any security measures, get them in place. Using encryption is a good way to reduce the likelihood of a big penalty in the event of a data breach.

#4. Review Suppliers/Contractors

Make sure that all your suppliers and contractors are GDPR-compliant. This may require updating your contracts with suppliers e.g. that they must notify you promptly if they have a data breach.

#5. Update T&Cs

Update your Terms and Conditions and Privacy Policy on your website and anywhere else that you collect personal data so that you can describe to individuals what you’re doing with their personal data.

#6. Consider a DPO

You may need to appoint a Data Protection Officer (DPO). Under the GDPR, you must appoint a DPO if:

• you are a public authority (except for courts acting in their judicial capacity);
• your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors of data. Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity.

#7. Train Employees

You will need to train employees to know what is meant by a personal data breach. You’ll need to build processes to know when data breaches have occurred. Everyone involved in your business needs to report any mistakes to the DPO or the person or team responsible for data protection compliance. And serious breaches must be reported within 72 hours.

#8. Prepare for SARs

Your organisation will have to answer Subject Access Requests (SARs) that come in from customers or prospective customers – this is where they request a copy of what personal data you hold. Under the GDPR, citizens have the right to

• access all of their personal data,
• have anything that is inaccurate rectified,
• object to processing in certain circumstances,
• completely erase all of their personal data that you may hold.

You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. Information must be provided without delay and at the latest within one month of request.

Recommended Reading: Is Your Business Ready for GDPR?

Rinodrive has been built to help Data Protection Officers meet GDPR requirements. At Rinodrive security and privacy are a highest priority. We understand that the confidentiality of data and protocols are critical. All of your data is stored in highly secure data centres managed by dozens of compliance programs and audit safeguards. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.

How are you feeling about the fact that GDPR is coming? What’s your experience so far? Share your thoughts below.

Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).