The GDPR is a new approach to data collection, usage and protection and it will supersede national laws including the UK Data Protection Act, unifying data protection and easing the flow of personal data across the 28 EU member states. From the 25th May 2018 all organisations that process the personally identifiable information of EU residents will be required to abide by a number of provisions.
Why is it important to me and my customers?
GDPR will increase the obligations of this website under the current Data Protection Act and Taking Control recognises that it will require processes and communications to be put in place in addition to our current data protection procedures.
Key points of the GDPR that are relevant to this website and where I will be reviewing and updating my data collection processes include:
Documenting the information I hold:
– The regulations require a greater clarity of what personal data I hold, where it came from and who it has been shared with.
Better communication of privacy information and legal basis for processing personal data:
– GDPR requires that privacy notices clearly inform data subjects of the legal basis for processing the information, data retention periods and their rights under the GDPR (see below).
Explicit individual’s rights:
– The new regulation sets in law a number of rights that data subjects must have. These rights include subject access, rectification, erasure (‘the right to be forgotten’) and the right to prevent automated decision-making and profiling.
Changes to the definition of consent:
– The GDPR firmly places the responsibility of demonstrating consent has been given to the data controller.
Increased data breach reporting:
– There is an increased obligation under the GDPR for organisations to report personal data breaches to the Information Commissioner’s Office (ICO).
Data protection by design:
– There will be an increased obligation to conduct privacy impact assessments before implementing certain new business processes. The GDPR builds on the concept of ‘privacy by design’ and requires data protection to be linked to risk management and project management processes at the earliest stage.
I have conducted an extensive audit of current procedures and processes and have identified areas where these need to be augmented to comply with GDPR.
These changes are being made and will be reviewed again before GDPR comes into force. I will also be ensuring that an appropriate governance structure and testing routine are in place to ensure on-going best practice and compliance.