In order to be ready for the GDPR by May 2018, it is important to start familiarising with its principles from now. This, and an audit of your organisation's processes will help you determine whether you will be able to cover individuals’ rights introduced by the GDPR and how.
This post will help you gain a better idea of the changes the GDPR will introduce, explaining its core principles and what these mean for your business.
Data Access and Portability
Citizens will have the right to request the data concerning them to businesses. The existing Subject Access Request (SAR), which enables businesses to charge individuals £10 for providing this information, won’t have validity. Organisations will need to be able to provide individuals with their data in a machine-readable format within one month from the request and free of charge.
Right to Erasure
This is also referred to as “the right to be forgotten” and it means that individuals will have the right to withdraw consent and ask the company to delete any information about them. Furthermore, the company which has made the personal data public will be obliged to inform other businesses processing the data to erase any links, copies or replications of those data.
The GDPR sets new standards for consent.
Consent forms will need to use plain and clear language, avoid pre-ticked boxes, and include the purpose of data processing in an accessible way. Consent must be requested for all the purposes of the activity and individuals must be informed of the actions needed to withdraw it. Once consent is received, organisations will be obliged to keep records of it to demonstrate a lawful data process.
It is vital that you review the way you ask for consent and be aware that complying with these new requirements can be an opportunity for you to enhance customer trust.
The GDPR establishes that organisations must report data breaches to the Information Commissioner's Office (ICO) and sometimes individuals. Nevertheless, you only need to notify the ICO when a breach is likely to cause a risk for individuals, for example, financial loss or discrimination. This said, it is advisable to implement measures to identify and examine personal data infractions.
Privacy by Design
Appropriate technical and organisational measures will need to be employed to demonstrate that the GDPR is fully integrated into the company activity. For instance, you should ensure that by default only the necessary personal data are processed and when selecting and using applications for data processing you prioritise those that comply with the data protection regulation.
In conclusion, you will need to review your processes in light of the GDPR principles and implement the appropriate measures to make sure you will be able to comply with the GDPR and meet citizens' requests.
Claimable is committed to helping our customers comply with the GDPR and, as a data processor, we are committed to full GDPR-compliance by May 2018.