As of 25th May 2018, the General Data Protection Regulations (GDPR) will be updated with new rigorous guidelines. This comes as a result of the growing scope of what is considered to be personal data. Personal data now comprises of online identifiers such as cookies and IP address, genetic data, biometric data and data concerning health. 

The new law marks a wide-reaching and significant shift in the way that organisations must protect personal data. According to the East Midlands Chamber (2017), this is the biggest change in data protection legislation in 20 years and will have a profound impact on businesses across many sectors. The GDPR applies directly to service providers that process personal data on behalf of an organisation, such organisations include cloud services, call centres and payroll services. 

According to IT Governance, the penalties are considerably tougher for GDPR. “Any organisation found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater” (IT Governance, 2017). The cost of non-compliance will also be compensation claims for damages suffered and reputational damage and loss of customer trust.

With that in mind, we must prepare for the upcoming changes to data protection to remain compliant and avoid fines. Here are 10 tips to be GDPR ready:

1. Ensure that decision-makers and key people within the organisation are aware of the new legislation and how it can impact the business.
2. Document what personal information you hold, including where it came from and who you share it with.
3. Review your current privacy information, making any changes to comply with the GDPR and communicate effectively to staff.
4. Ensure your procedures cover all the rights individuals have, including how they would delete personal data.
5. Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
6. Review how you seek, record and manage consent. Don’t forget to refresh existing consent if they do not meet the GDPR criteria.
7. Consider whether you need to put in a system to identify and verify an individuals age and to obtain a parental or guardian consent for any data processing activity.
8. Implement procedures in place to detect, report and investigate a personal data breach.
9. Designate someone to take responsibility for data protection compliance and assess where this role will sit within the structure of the organisation.
10. Provide adequate training on the new legislation for staff who are directly involved with data processing.

For more information, see below our recommended resources.

If you or your business is interested in learning more about the General Data Protection Regulation, and how to remain compliant within your organisation, contact This email address is being protected from spambots. You need JavaScript enabled to view it.

Alternatively, the Information Commissioner’s Office (ICO) have created two very useful checklists, to help data controllers and data processors get ready for GDPR.

Sources:
East Midlands Chamber, 2017. Website: http://www.emc-dnl.co.uk/site/10209/gdpr-what-this-means-for-your-businesss
Information Commissioner's Office, 2017. Website: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Information Commissioner's Office, 2017. Website: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
It Governance, 2017. Website: https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation