All About the General Data Protection Act Law Changes
“The EU General Data Protection Regulation is the most important change in data privacy regulation in 20 years.” – EUGDPR.org
At Bamboo Nine we are passionate about transparency in business and always being open and honest with our clients about the work we’re doing and how they may be affected by changes in the industry. At Bamboo Nine we understand how important data protection is for your business but there are some changes coming into play 25th May 2018 that may affect how your data is used, shared and protected.
Who Does the GDPR Affect?
The GDPR affects and applies to all companies and organisations processing and holding the personal data of people residing in the European Union, regardless of the location of the company.
What Does ‘Personal Data’ Mean?
Personal data is related to the information about a person that can be used to directly or indirectly identify them. This can be anything from a photograph, name, bank details, networking websites, medical information, or email address.
Time is Running Out to Make Changes!
Complying with the General Data Protection Act Law Change isn’t a matter of just ticking a few boxes, you must be able to comply with the new regulations. For many of you, achieving full compliance with all GDPR’s will be a long journey and you may not be 100% compliant by the 25th May 2018 deadline. So, rather than panic, it’s important you start prioritising those areas that lack action and could leave your organisation exposed when the time comes.
How to prepare for the Data Protection Changes
Most of the General Data Protection Act Law Changes main concepts are the same as those in the current Data Protection Act, so if you are complying properly with the current laws, you will only need to make minimal changes. However, there are a few new elements to data protection that are being added for the first time and there are some things that will need doing differently.
Clearly Communicate Privacy Information
It is important to review your current privacy notices and put a plan in place for notifying clients and customers of any necessary changes in time for the General Data Protection Law Act implementation.
When you collect personal data from people you have to give certain information about how you intend to use their information and so forth. However, with the GDPR changes there are some additional things you must tell people, such as the lawful basis for processing the data and the individual’s right to complain if they think there is a problem with the way you are handling their data. All information must be provided in a concise, easy to understand and clear language.
Awareness
It is a priority that the managers and decision-makers in your organisation are aware of the law changes and the impact this will have. If they are not aware, why not send them this article?
Organise the Information You Hold
Another preparation to make is organising and documenting all personal data you hold, where it came from, and who you share it with.
Check the Rights of Individuals
You must check your company procedures and ensure they cover all rights the individuals have, including how you delete personal data. The GDPR requires the following rights for individuals:
- The right to be informed
- The right of access
- The right to erase
- The right to rectification
- The right to data portability
- The right to restrict processing
- The right to object; and
- The right not to be subject to automated decision-making, including profiling.
Subject Access Requests
You should update your procedures and make a plan for how you handle requests within the new changes and provide any additional information.
Lawful Requirements for Processing Personal Data
You must identify the lawful basis for your processing activity, document it, and update your privacy notice to explain it. Although under the current law this does not have many practical implications, this will change under the GDPR as people will have a stronger right to their data.
Consent
You should review how your organisation seeks, records, and manages consent. If you need to make any changes, make sure they’re done before the law changes on May 25th 2018.
Consent for Children
For the first time, the GDPR is bringing in special protection for the processing of children’s personal data. If your organisation offers online services for children that rely on the consent of a parent of guardian, then you will need the adult’s consent to process their personal data lawfully. You must put in child protection changes to ensure that individuals’ ages are verified and the need to obtain parental or guardian consent is mentioned.
How You Deal with Data Breaches
Make sure you have the right data breach procedures in place to report and investigate any personal data breach which may occur. Failure to report a breach could result in a fine, in addition to a fine for the breach itself, so it’s important you notify those concerned directly in most cases.
Designate Data Protection Officers
To help you deal with all the changes seamlessly, you should designate someone to take responsibility for data protection compliance. It is important that whoever you assign to the task of data protection takes proper responsibility for your organisations data and has the knowledge, authority and support to carry out their role effectively.
International Responsibilities
If your company operates internationally, you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this successfully. This is only relevant if your organisation carries out cross-border processing (for example, you have establishments in more than one EU member state or you have one establishment that carries out processing which affects individuals in other EU states).
Find Out More
If you would like to know more about the General Data Protection Act Law Changes, you can find out more about them by following this links:
- https://privacy.google.com/businesses/
- https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- http://www.cookiechoices.org/
If you have any further questions about the direct impact these data law changes will have on your business, please do not hesitate to call us. Help spread the word and don’t forget to send this article to all your friends!