The GDPR – What You Need to Do

6 July 2016 by Katherine Kelly

You’ve probably heard that the General Data Protection Regulation (GDPR), the EU’s new legislation to improve personal data security, is approaching faster than the next political resignation. It might seem a bit overwhelming at this point with all the post-referendum complications, but the key to tackling any challenge is breaking it down into manageable steps.  

Our whitepaper gives you an overview of the five things you need to do now in order to prepare for the upcoming changes. Get cracking asap to save yourself a serious headache down the line – this is serious stuff and you will be penalised if you don’t prepare properly!

The changes outlined in the GDPR are set to come into play from May 2018 and, even in the post-Brexit world that we’re living in, UK businesses will still need to be compliant to this, or something very similar. So, the simplest thing to do in the long run is take steps to ensure your business is ready – you’ll feel better once it’s done, trust us.

This is what you need to do:

1. Know your data – Keep a record of the data operations and activities carried out by your business. Make sure you know the type of data your business processes, how it’s used and where.

2. Carry out a data protection impact assessment (PIA) for high risk projects – This is done by the controller (the person who collects the data and is responsible for how it’s processed and used) to identify non-compliance risks and improve protective measures as needed.

3. Designate a data protection officer (DPO) – For some companies it’s mandatory to have a data protection officer; for some it’s merely good practice. The DPO’s tasks will include: advising colleagues on and monitoring their organisation’s GDPR compliance through training and raising awareness, running audits, advising on PIAs and working with the supervisory authority.

4. Notify the supervisory authority of a data breach – Data breaches increase the threat of identity theft, fraud, financial loss, reputational damage and loss of confidentiality. To reduce the risk, data controllers must notify the supervisory authority within 72 hours of becoming aware of the breach or face a hefty fine.

5. Implement “privacy by design” and “privacy by default” – “Privacy by design” means taking privacy risk into account when designing a new product or service, rather than treating it as an afterthought, while “privacy by default” ensures that only as much personal data is collected, used and kept for each task as is needed.

If this still seems a bit overwhelming or you’re looking at this and have no idea what most of this means there are more top tips on how to become GDPR compliant from the experts in our whitepaper.

It also outlines the consequences of not complying, including much heftier fines than before – the stick is never as fun as the carrot but it’s important to know too!

Disclaimer: The information in this blog is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor.

Don’t leave it to the last minute – prepare now. Read our full ‘essential GDPR facts and myths’ whitepaper to find out more:

Download the whitepaper