The mention of data protection might mean that your eyelids start drooping but try and stay awake long enough to read this article so that you know what to do before 25 May 2018 when the new data protection rules come into force in the UK.
Any business which controls or processes data will need to prepare now to ensure that it will be able to comply with the new EU General Data Protection Regulation (GDPR) and the new Data Protection Act later this year. The new laws require organisations to be more proactive and give more consideration to how and why they store, use and even destroy personal data.
Taking the steps below will ensure that you are not caught out by the changes, for which large fines (which could be up to £20m, or even more depending on business turnover) can be imposed for a breach of the new laws.
8 Steps for businesses to prepare for DPA changes
- Ensure that your business is registered as a data controller with the Information Commissioner’s Office – all businesses must be registered and failure to register is a criminal offence
- Carry out a data audit to identify all personal information held, how it was collected, whether and why it needs to be retained, and what it will be used for in future
- Identify whether consent has been given to the use or storage of the personal data you hold and the scope of the consent given (keep a paper trail as evidence of consent) – develop a system for asking for and recording consent in future
- Prepare or update and issue “privacy notices” to anyone whose data you control, eg. staff and contractors – the new laws impose stricter requirements on organisations to inform those whose data they hold about their rights and why they hold the data
- Arrange for your data protection policy and code of conduct to be updated and inform staff about the changes
- Review contracts to ensure compliance with the new laws – blanket consent in employment contracts will need to be modified and you will need to ensure any organisation processing data on your behalf complies with adequate data protection standards
- Devise a data breach response programme as any future significant data breaches must be reported to the authorities within 72 hours
- Assign responsibility for data protection compliance to a senior manager and provide relevant training for the responsible person and all other staff in your business.
If you require any further advice or assistance with the above steps, please contact Caroline Banwell.