The GDPR (General Data Protection Regulations) isn’t to be confused with the DPRK or even the DDR, although businesses could be forgiven for thinking otherwise. Press coverage has emphasised the greatly increased powers accorded to the Information Commissioner’s Office (ICO) and the substantially increased fines for noncompliance. Although this is true, they say little of the reality of this new legislation and what GDPR compliance entails.
The GDPR will apply across the European Union (EU) from May this year and will continue to apply to any company conducting business with EU based clients and customers regardless of the ultimate shape of Brexit.
Achieving GDPR compliance is fundamentally a three-stage process – identifying your obligations and responsibilities under the GDPR, putting in place the necessary people, resources and processes, and addressing any underlying system requirements to achieve and facilitate compliance. It is important to understand that for companies and organisations GDPR is as much about risk mitigation as it is with simple compliance.
This list looks daunting because for some companies the scale of the GDPR is daunting. Regardless of size, we can help you navigate the potential pifalls and ensure that your transition to this brave new world is as smooth as possible.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- The GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking.
- The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
- If a child is younger, you will need to get consent from a person holding ‘parental responsibility’. This could have significant implications if your organisation offers online services to children and collects their personal data.
- Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
- You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- You may be required to inform the ICO if you suffer a breach
- All organisations must report a breach that could result in: discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
- You may have to notify the individuals affected. Establish procedures to effectively detect, report and investigate a personal data breach.
- Assess the types of personal data you hold and document where you would be required to notify the ICO or affected individuals if a breach occurred.
- Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.