“I love deadlines. I love the whooshing noise they make as they go by.”
So said the late Douglas Adams, who was notoriously bad at hitting them. Stephen Fry once described that the only way to get his friend writing was to sit in the author’s front room with his editor – usually crying in despair of her schedule – as Adams would hand-type one A4 sheet at a time and hand it over. We can laugh about it now, but we shouldn’t emulate the acclaimed author’s procrastination. Especially when it comes to the GDPR.
How many sleeps?
The GDPR – or General Data Protection Regulation – comes into force on 25 May 2018, so if you’re watching the Royal Wedding without having tackled it yet, you might want to check your priorities. The new legislation is not unreasonable, nor overly complicated, but will require some legwork.
The GDPR is a positive change
The GDPR will ensure that – should a company lose data or have a security breach in this age of cyber-attack – that company can accurately know its extent and be confident that it had permission to hold that data in the first place. The GDPR addresses the challenges of the digital age, where documents are held both on paper and in countless media online.
Key points to consider
-
Significantly higher fines can be imposed on organisations failing to comply
-
There’s a broader definition of what constitutes ‘personally identifiable information’
-
The rules for consent become more stringent
-
Organisations now must respond more quickly to access requests
-
Data collection management and tracking must become much more transparent
-
Accountability: organisations must be able to document how they comply with the GDPR.
Individuals have more rights
In addition, individuals will have many more rights with regards to information held about them. They have:
-
The right to be informed.
-
The right of access.
-
The right to erasure (The right to be forgotten). This is NEW
-
The right to rectification.
-
The right to restrict processing.
-
The right to data portability. This is NEW
-
The right to object.
-
Rights in relation to automated decision making and profiling.
The Subject Access Request is key
In addition, from 25 May 2018, every individual will have the right to submit a Subject Access Request (SAR) to any organisation, business, public body or charity to find out what information is held about them. That organisation then needs to respond, within one month, with full details of what information they hold, and – crucially – why they hold it.
Every organisation has a duty
Handling information appropriately has become a telling indicator of business, organisation, or charity’s quality, an indicator that’s increasingly valued by a cyber-aware public. But – perhaps yet more compelling – is that failure to comply with the GDPR results in fines of up to 4% of global turnover. And that’s not to mention the damage to reputation and loss of public confidence. Yikes.
Start simply
The starting point for every organisation will be identify and understand what personally identifiable information they have and where it is stored. Is it backed up? Has appropriate consent been obtained and recorded? For small organisations, checking on this may quickly reveal that they have little to worry about. For more complex ones, the task is greater, but far from unmanageable.
We can help
The good news is, we can get you up to speed with the requirements of the GDPR and either prepare you for 25 May, or work on compliance after that date. Talk to us about how we can help.
Find out more