Data Protection Services (“GDPR” compliance)
May 25th 2018, the date on which the new General Data Protection Regulation (“GDPR) becomes law will be with us sooner than we think.
The new legislation brings significant changes in the way businesses and organisations can store and process data and puts much more onus on them to have either a sound legal basis for processing data. Alternatively data will be collected which has obtained consent from the individual.
Furthermore you have to be able to prove these legal bases and that you have communicated them to the individual, before May 25th.
There are huge penalties (up to 4% of turnover for businesses or organisations) for non-compliance so businesses must be prepared for the new regulation which will be fast approaching.
Here at Mushroom Management we can assist you with preparation and ongoing compliance to GDPR through our sister company tlam. Tlam is currently helping law firms get you prepared for May 25th and has all the knowledge to help your business.
Overview of the new General Data Protection Regulation
The General Data Protection Regulation requires you to show how you comply with the new principles, such as;
- Having a clear understanding of the data you or your business processes;
- Having staff trained about the new data protection regulations;
- Documenting what actions will be taken from the data processing activity.
Before May 25th, businesses will have to make customers aware as to what data they hold. Looking from a legal basis, businesses will have to inform customers what they are going to do with their data. Therefore, businesses processing a lot of data may want to consider hiring a data protection officer (DPO). DPO’s can help manage your data and make you aware of what data you are controlling, which is the legal requirement.
With or without a DPO, each business will need a Data Controller. This Data Controller is accountable for failures of any data processing and equally liable for breaches. Therefore, a DPO can help you get your business to follow the new General Data Protection Regulation guidelines.
General Data Protection Regulation – Background information
General Data Protection Regulation had its last regulation in 1998. The rapid growth of the digital economy since 1998 has resulted in an enormous increase of exchanges of personal data.
Rules for the 1998 regulation focused on the length of time you should keep data and only keeping relevant data. Therefore, the up and coming regulation in May will focus on the emphasis of the customer knowing their data will be protected.
As you can imagine, the internet has come on significantly since 1998, with businesses now getting data online whether you as a customer are aware or not.
What has to be done
The Information Commissioners Office (ICO) have prescribed their 12 steps to take now to be GDPR compliant. In terms of following these we believe there are three overall stages to achieve and maintain GDPR compliance.
1) IDENTIFY & ANALYSE
Identify and list all of the personal data for which you are a data controller or data processor. You need to document every process which involves personal data. Personal data includes client details, employee records & bank details. Analyse personal data for each process. Document where it came from who has access and why. The legal basis for holding and processing it. Whether it is up to date and still required.
2) PLAN & IMPLEMENT
Before 25th May: Review and update your Privacy Policies and communicate them not only to staff but to your customers and clients, Prepare Data Processing Agreements, review data security both online and offline establish breach reporting procedures, establish control of your information security assets.
After 25th May: Ensure that data is only used for the legal basis on which it was collected and that consent was explicitly given (if applicable). Communicate Privacy Notices to all stakeholders. Ensure that all new data processing undergoes a Data Protection Impact Assessment (DPIA).
3) ONGOING MANAGEMENT
Beyond implementation, your business needs to: Maintain good data governance over the personal data you control and process, make sure your Data Protection processes are performing to the required standard, foster a culture that ensures a “buy in” from your whole organisation and review your data protection compliance with a designated responsible person or Data Protection Officer (DPO).
Outsourcing your DPO
Tlam has a Data Protection Officer and we are training more to serve its clients’ needs for quality data governance. Your senior managers, marketing or IT managers at your business may not have the time or the training to take on this role. Similarly tlam can also assist your clients with GDPR compliance. Instead of employing a new person, use someone who is autonomous and will guide you on an independent basis.
Get in touch
If you are a business seeking help with your data compliance, do not hesitate to get in touch. The deadline of May 25th is fast approaching and a penalty for not handling data correctly can be very damaging for your business. Get in touch with either tlam or Mushroom and we can talk you through the next steps for you to get compliant.