Well here it goes, after months of reading about The General Data Protection Regulation, “GDPR’’ and time spent building information asset registers, collecting information from colleagues to understand where information about individuals is held, processed and stored. Then ensuring key information, such as privacy, data retention policies are all updated with additional GDPR compliance notifications and getting the rest of the organisation up to speed on GDPR (dare I say it, but I’m starting to see sunshine at the end of the tunnel).
Whilst at times, it’s not dissimilar to travelling on The Orient Express (a looooooooong-distance passenger train), I’m now armed with a wider understanding of GDPR. That said, I felt a blog was appropriate to help others still travelling to reach an endpoint in their journey!
Let’s put this into context
The General Data Protection Regulation, “GDPR”, came into effect on 25 May 2018. In many ways, GDPR is very similar to the Data Protection Act 1998. A lot of the rights and obligations under the Act remain the same; GDPR just builds on and expands on those rights.
I believe that it will be the source of significant change for a wide range of organisations. The regulation will ensure that organisations act with greater care and attention in how they handle an individual’s data.
I can categorically state that complying organisations will be more transparent and proactive regarding a data breach, because if a company fails to report to the Information Commissioner’s Office within 72 hours from becoming aware of a breach, it could result in a significant fine. By significant, they mean up to 20 million euros or 4 per cent of global turnover, whichever is greater! Yes, this GDPR route just got millions of pounds more serious.
To ensure compliance with GDPR, the Supervisory Authority in the UK is the Information Commissioner’s Office or “ICO”, as it was under the Data Protection Act. The advisory team at ICO are really very helpful in answering any questions regarding GDPR; if in doubt, it really is well worth a phone call (helpline number is 0303 123 1113)! ico.org.uk
Some Useful Do's
- There are six lawful bases for processing and or sharing information. It’s important that you know what they are and have an understanding. Complete GDPR training and get informed!
- If you make a mistake, do not hide it as this may affect Personal Data, such as emailing something to the wrong person. This must be reported to the person in your organisations responsible for data protection.
- Be mindful of what you write about individuals bearing in mind that in future it could be included in a Subject Access Request.
- Consider the GDPR principles and do not give information away without prior consent/identifying the person and ignore requests to access their personal data.
- IF IN DOUBT, ASK – speak to the person in your organisation responsible for your data protection policy or call the ICO.
- Ensure you maintain your data files and clean up your mail boxes – ensure that anything that needs to be retained for your organisation is in a centrally managed system. You can also contact VeryPC digital security specialists to work with you to determine the best combination of products for your requirements.
Best of luck with it all!
T: 0114 321 8609