On the 25th May 2018, the data protection act will be superseded by a new piece of legislation, the GDPR.
This new piece of legislation has been brought in in order to make sure that every company within the EU, as well as those who trade with the EU are adhering to the same sets of rules and standards when it comes to protecting any data which they are holding on to regarding the individuals they do business with.
Companies will want to get as far ahead of the curve as they can when it comes to implementing these new measures. Preparing early will save businesses a considerable amount of time and stress down the line and will help to ensure compliance when these new rules do come into force.
Here are the new requirements that businesses need to be most aware of in order to ensure that they are ready for the introduction of this new legislation.
Explicit Consent
The new general data protection regulation mandates that businesses must present their customers with the chance to explicitly consent to their personal information being stored. Under the data protection act, it was enough to provide customers with an opt out opportunity, that is no longer the case. The GDPR mandates that customers must be presented with an explicit choice and give their consent in order for their data to be stored. Consent must be given for every piece of information that is to be stored and can be withdrawn at any point.
Demonstrating Compliance
No longer will businesses be assumed to be in compliance with the GDPR until proven otherwise, instead they will need to demonstrate their compliance with the legislation by proving how they comply. To this end, businesses will have to clarify their data and security policies, while also ensuring that every member of staff has been trained on how to abide by the new regulations. Businesses are further required to provide proof of how each piece of individual information is stored upon request.
Breach Reporting
Companies who remain compliant with the GDPR are unlikely to face any problems with data breaches, however, where these breaches do occur, they should be reported within 72 hours of the business becoming aware of the issue. Any business which fails to promptly disclose details of any data breaches that do occur will find themselves running afoul of new legislation and facing even tougher fines than they would have under the data protection act.
Data Protection Officers
The GDPR clearly states that public authorities, as well as those who control and process data and a small number of other specified individuals, have a legal obligation to appoint a data protection officer (it is however recommended that every business appoint a staff member to such a role) The data protection officer needs to have an advanced knowledge of the company’s needs and their data management processes. Check this link in order to find out more about GDPR requirements.
The GDPR looks like a worthy successor to the data protection act that, like its predecessor, will ensure that individual data is held safely, securely, and responsibly.