Like it or not, GDPR is going to impact all companies. As an example, consider the amount of personal data you hold on just your employees and LOSCs!
GDPR came into force in May 2016, with a two-year transition period becoming enforceable from 25 May 2018. The principles are very similar to EU Data Protection Directive, however, the GDPR contains a number of changes including:
- Enhanced documentation to be kept by data controllers
- Enhanced privacy notices
- More prescription rules on what constitutes consent
- Mandatory data breach notifications requirements
- Enhanced data subject rights
- New obligations on data processor
- Expanded territorial scope
- Appointment of Data Protection Officers
- Significant increase in the size of fines and penalties
What is covered by GDPR?
Both personal data and sensitive personal data are covered by GDPR. Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it. Sensitive personal data encompasses genetic data, information about religious and political views.
Who enforces GDPR?
GDPR is governed by the Information Commissioners Office (ICO), which has the authority to enforce stiff fines for non-compliance. Before you panic, the ICO is not out to get you, and as long as you have shown due diligence if you fall foul of GDPR it will be understanding.
Who needs to be aware of GDPR in your company?
In the first instance, directors and senior managers need to be aware of GDPR and take steps to ensure that the company meets its obligations. This will then need to filter down to other members of your organisation to ensure they are following procedures.
We would love to be able to give you a template/action plan to ensure you are compliant. However, how each company approaches GDPR will differ depending on the data the company processes and who has access. In the first instance, you will need to access where, and how, personal data you hold is being processed. This will dictate your action plan moving forward.
What is important is that you take action NOW!
There is a huge amount of information out there relating to GDPR. Just a few of the links we have found useful can be found on the right.