The General Data Protection Regulation (GDPR) has come about as a result of the digital age, which has resulted in a proliferation of easily accessible and shareable personal data.
The regulation was adopted on 27 April 2016 with the intention that it will strengthen and unify data protection for all individuals in the European Union. When it becomes law on 25 May 2018 it will replace the current Data Protection Directive of 1995.
By harmonising data protection and privacy laws across the European Union, the GDPR will strengthen the rights of EU citizens and residents and give them control over their personal data. Businesses and organisations will have a single regulatory environment throughout the EU specifying how to collect, hold and process personal data.
You will have to review, analyse and probably revise the way you collect, use and store personal data. The regulation stipulates that personal data can only be collected, used and retained for specific business purposes. The data must be accurate and kept up to date. It may not be used for other purposes, unless permission for that use has been given. Individuals must be given access to their data when they request it and you need to know how to respond to these requests when they arise. You also need to ensure the data is held in a secure environment and that in the event of a security breach you respond appropriately.
Your organisation will be held responsible for informing and training your staff members about the GDPR, especially regarding how the new regulations will affect employees’ job responsibilities. You will need systems in place to train current, and future, staff so they know how they can use customer, supplier and employee information.
Your data protection policies must be communicated to your employees and must be published on your websites and other communication portals.
The requirements brought about by this new legislation will seem daunting to some, but it is manageable. There are ways in which you can simplify the implementation and maintenance of your data protection program. You could share the responsibilities amongst staff, appoint a data protection officer or engage a consultant or an external service provider.
To become compliant you will need to:
- Address the way you collect, use and store the personal data of customers, suppliers and employees
- Train your staff so they understand how they can use personal data
- Prepare and provide privacy notices, and other relevant policies
- Have a system in place to manage individuals’ data access requests and security breaches
- Appoint a person or service to help you meet these needs
GDPR365 provides a data protection service for you to follow that will help you achieve compliance.
Image credit: http://www.eugdpr.org/