GDPR in 2018 – your quick summary.

Trying to get to grips with what GDPR looks like for your organisation in 2018?  With so much information out there, it’s hard to decipher the key messages and ensure you’re fully under the skin of GDPR compliance. So what does GDPR even mean? GDPR stands for General Data Protection Regulation and it applies from 25th May 2018. The legislation introduces new rights for individuals and requires far greater data protection obligations from organisations.

GDPR in the UK

GDPR is EU regulation and will apply in the UK for as long as we remain a member of the EU. With Brexit looming, how does that impact the UK? The Government has already published a Data Protection bill to reflect what GDPR will look like post-Brexit. In the meantime, you need to start preparing for 25th May and GDPR now.  

Searching for a GDPR summary?

GDPR introduces a new set of rights. It’s important to prepare for each of these to ensure you’re GDPR compliant. You might hear these described as the eight principles of Data Protection and GDPR. In summary, these include:

  • the requirement to give express consent in certain circumstances
  • the right to withdraw consent
  • the right to be informed - all organisations must be transparent in how they are using personal data 
  • the right to data portability - this allows individuals to retain and reuse their personal data for their own purpose
  • the right to object - in some circumstances, individuals are entitled to object to their personal data being used
  • rights in relation to automated decision making and profiling - safeguards to protect against the risk that a potentially damaging decision is made without human intervention
  • the right to rectification of incorrect or incomplete data – giving individuals the right to rectify personal data
  • the right to erasure - often referred to the right to be forgotten

Preparing for GDPR in 2018

Understanding how to be GDPR compliant is critical. Each and every organisation is different, with unique data processes. A two-pronged approach is typically recommended. Firstly, a GDPR project group should be created to identify where change needs to take place. The ICO published a 12-step plan to support organisations, see below. Secondly, with the GDPR fines set to top €20 million or 4% of annual turnover, it’s always recommended that organisations seek expert legal advice.

12 steps to help you prepare and be GDPR compliant

It’s likely that you will need to set up a GDPR project group but where do you start? ICO has a 12-point GDPR action plan to help point you in the right direction. As already covered, obtaining legal advice is also always recommended to ensure your organisation is fully compliant.

1. Awareness – make sure key decision makers are aware that the law is changing and consider where workforce training may be required

2. Information you hold – conduct a thorough audit and document all the personal data you hold.

3. Communicating privacy information – ensure you review your current privacy plans and update where required

4. Individuals’ right – check all your processes and procedures to ensure they are GDPR compliant

5. Subject access requests – identify how to update processes so you can handle requests within the new timescales

6. Lawful basis for processing personal data – identify the lawful basis for processing data (and ensure your privacy notice is updated to reflect this)

7. Consent - conduct an audit to identify how you seek, record and manage data. You may need to refresh consents to meet the new GDPR standards.

8. Children – check whether you need to put processes in place to verify ages and/or secure consent from a parent or guardian

9. Data breaches – ensure robust procedures are in place to detect, report and investigate a personal data breach

10. Data protection by design and data protection impact assessments - familiarise with the ICO’s code of practice on Privacy Impact Assessments. The latest  guidance from the Article 29 Working Party is also a must read

11. Data Protection Officers – identify and/or appoint someone to take responsibility for data protection compliance

12. International - if your organisation operates in more than one EU member state you need to determine your lead data protection supervisory authority.

Follow the 12 point GDPR action plan and you’re on your way to becoming GDPR compliance. It acts as a great training and guidance tool for any projects groups and acts as a great GDPR checklist too.  

read more insight

< return to previous page