Are you ready for GPDR?
The EU’s new General Data Protection Regulation (GDPR) is expected to cause significant difficulties for businesses, as they look to make changes to come into line with the new rules.
The GDPR will amend current data protection laws to make sure that they are fit for purpose, especially in the modern digital age. Under the current UK Data Protection Act 1998, anyone can request the information that organisations have about them. The new legislation will mean that organisations will have to respond to subject access requests, or SARs, much quicker than before. Under the current UK Data Protection Act 1998, employers have 40 days to respond to a request and could charge a fee of £10. But when the new rules come into effect in 2018, employers will have to comply with an SAR within one month and will not be able to charge any fees.
Employers who do not meet the deadline, or fail to provide all the information requested, could face a fine. The UK Information Commissioner’s Office (ICO) can currently hand out fines of up to £500,000 for serious breaches of the DPA.
Organisations must also provide information about the type of data they hold about the person, who they have shared the data with and what the purposes of their processing is.
Employers will also have to appoint a dedicated data protection officer if they handle a large amount of sensitive data or monitoring the behaviour of a large number of consumers. Under GDPR, businesses will have to keep track of personal data in ways that can be audited and provide notification of breaches within 72 hours.
Employers must put in place a specific process to handle SARs under the new rules and produce standard wording that provides the additional information they are required to disclose alongside the requested data.
Businesses will also need to make sure that their systems are managed in such a way that data can be retrieved as quickly as possible. Staff should be appropriately trained to identify when a request constitutes an SAR and that SAR requests are passed immediately to those tasked with managing responses.