White Paper: Understanding the new General Data Protection
By Alex Tanglao, Last updated: 2023-01-18 (originally published on 2018-05-24)
The new General Data Protection Regulation (GDPR) comes into force on Friday 25th May but what do you need to know and what steps should you be taking? Don’t be fearful of the looming deadline. The most important thing is that you can demonstrate you are taking steps towards compliance when the law changes.
Why and how is the law changing?
This new privacy law replaces the Data Protection Act (DPA) 1998. At 20 years old, the old laws are well past their best. Technology has evolved at such a fast pace that these new regulations are necessary to align the tech with the law.
The new regulations are not a complete change, rather they are an evolution of the existing laws. Indeed many of the new GDPR’s regulations main concepts and principles are much the same as those in the current DPA which you should already be complying with. These principles remain valid under the GDPR so you should already be on the path to full compliance. There are however a some improvements and new elements to consider and therefore you may need to make some changes and take some additional steps.
The main concern is how personal data is collected, processed, stored and shared. Personal data is any information that can be used to identify a person. This could be anything from name, contact info, religious beliefs and even information on cultural background and mental health history.
How does new GDPR regulations affect you and how do you ensure that your business is compliant?
So What Steps do you need to take with data protection law changes?
According to the Information Commissioner’s Office (ICO), there are 12 steps that businesses need to take to prepare for the implementation of the new GDPR regulations into UK law:
- Awareness: Ensure that decision makers and key people in your organisation are aware that the law is changing to the GDPR.
- Information you hold: Document what personal data you hold, where it came from and who you share with it.
- Communicating privacy information: Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Individuals’ rights: Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Subject access requests: Update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
- Lawful basis for processing personal data: Identify the lawful basis for processing activity in the GDPR, document it and update your privacy notice to explain it.
- Consent: Review how you seek, record and manage consent and whether you need to make any changes.
- Children: Assess whether you need to put systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity.
- Data breaches: Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- Data Protection Officers: Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
- International: If your organisation operates in more than one EU member state, determine your lead data protection supervisory authority.
For more resources for preparing your organisation for the upcoming changes to the data protection law, check out the ICO’s Guide to the GDPR.
What happens if you don’t comply?
The important thing now is to make sure you can demonstrate that you are actively taking steps towards compliance. Non-compliance comes with a hefty fine which could be up to 4% of your company’s annual global turnover. You will also be breaking the law which isn’t the best idea for the reputation of your company. Customer loyalty will certainly be adversely affected if you are fined for non-compliance. Remember, if you hold or process and personal data of any citizen of the EU then you are compelled to comply with the GDPR, even if your business is based outside of the EU.
Zegal can help you prepare.
So are you ready for the biggest change in data privacy regulation in 20 years? Remember It is your responsibility to demonstrate your compliance to the new regulations.
Zegal can help you keep ahead of the regulations. Our document library has been updated with lawyer-reviewed changes to ensure GDPR compliance. These documents now include clauses which are relevant to the GDPR.
- Information Audit Form: to help you map data flows in your organisation
- Security Audit Form: to let you document your technical and organisational measures to ensure data security
- Data Processing Addendum: to ensure your existing data processors comply with applicable data protection laws
- Employee Privacy Notice: to inform your employees and contractors of their privacy rights
- Letter to Amend Employment Contract: to bring employment contracts already in place in line with data protection requirements
We also have some new documents available to help you address GDPR requirements (available to all Professional and Premium Plan users):
- Data Processing Addendum to ensure your existing data processors comply with applicable data protection laws
- Data Protection Policy to inform employees about the company policy they should follow to ensure the protection and security of personal data when employees handle the data in job-related activities.
- Information Audit Form and Security Audit Form to help you map data flows in your organisation
Click here to learn more about our GDPR compliance toolkit.
If you have questions or concerns about how your information is handled by us, please contact us at firstname.lastname@example.org