GDPR: Less Than Two Weeks
What is GDPR? GDPR stands for the General Data Protection Regulation. This regulation is replacing the current European Data Protection Directive, taking effect on the 25th of May – less than two weeks’ time.
The GDPR applies to all companies worldwide that process personal data of EU citizens. Here are 5 key points you should know before the GDPR deadline.
Organisations whom breach GDPR regulations could be at risk of hefty fines. Not processing an individual’s data correctly, requiring and not implementing a data protection officer, and a security breach can all result in fines. This could be up to 4% of the annual global turnover or €20 Million, whichever is the greater amount.
Did you know? The maximum potential fine is halved if your company does not share data internationally, or isn’t a public body.
3. Personal Data Breaches:
Organisations should have a process in place to assess the likely risk to individuals of a breach and would need to know who the relevant supervisory authority for processing activities is. There should be a process in place to notify the ICO of a breach within 72 hours of being made aware of it, even if not all details have been obtained by the 72-hour mark.
Did you know? In certain cases, the 72-hour limit does not apply.
Consent must be the most appropriate lawful basis for processing. The request for consent must be separate from terms and conditions, and pre-ticked boxes are prohibited. Clear, plain language is mandatory to specify why the data is needed and what is being done with it.
Did you know? For marketing purposes, you don’t necessarily need consent to process data! ilicomm could potentially save you time and money chasing consent.
The documentation of processing activities is a new requirement under the GDPR. Documentation can help you comply with other aspects of the GDPR and improve your data governance. Records must be kept up to date and reflect your current processing activities. The ICO has provided checklists for your documentation processes, take a look at them here.
Did you know? Under GDPR, the liability of data processors is significantly increased and even shifted in some cases if the contracts are right.
5. Children’s Data:
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have. The ICO has another checklist you may find useful for this topic here.
Did you know? Counselling services to children are exempt from having to retain parental consent for processing.
There are subtleties in regard to GDPR compliance that are not immediately obvious, and with working parties still developing the regulation, it can be difficult to hot a moving target.
If you feel your organisation is still unprepared to comply with the GDPR, ilicomm can help. But with less than 2 weeks to go, there’s no time to waste. Call us now.
ilicomm have over 25 years of delivering cost effective information security and regulatory compliance solutions. Contact us to discover how we can ensure your business’s security is at its most efficient and cost-effective.