It’s now less than a month until the EU’s new General Data Protection Regulation comes into force, governing the data that all organisations hold. It goes without saying that all organisations should be training their managers and executives on the GDPR and how it impacts all decisions related to treatment of personal data, as well as evaluating all of their systems, security practices, and related documentation. The ICO have published a useful 12 step guide for those still seeking guidance.
With preparations well underway, is your business upholding best practice methods?
Consent: any business that handles personal data will have to seek clear consent from customers for use of their data – which applies to data gathered after the regulation and data that is already held. This means that all existing data will have to be audited to make sure it complies with the new regulation.
Disclosure: the current draft of the regulation requires organisations worldwide to notify EU citizen of a data breach within 72 hours.
Right to be forgotten: businesses handling the data of EU citizens will have to erase data without undue delay if any individual asks them to do. Consequently, organisations should be thinking about how to implement processes for responding to ‘right to be forgotten’ requests in a timely fashion.
Penalties for non-compliance: fines can reach €20m, or 4% of annual global turnover, depending on the seriousness of the breach.