Privacy has never been more at risk. Personal information can be acquired, stored and shared on a scale that would have been unimaginable 30 years ago – website tracking, cookies, location tracking apps were the stuff of science fiction. Now the law is catching up. May 25, 2018 will see the biggest change to British and European data protection legislation in 20 years when the General Data Protection Regulation (GDPR) comes into force, writes Geoff Trobridge, partner at Lester Aldridge.
All businesses must be proactive in protecting the personal data of their customers, employees and other individuals. Do not think that the law applies only to hi-tech giants or that compliance is simply an IT matter. Small organisations have fallen foul of the existing law for the loss of paper files and the new law is more stringent.
The ICO has published 12 essential steps to ensure your business will comply with GDPR:
1. Ensure that all senior management are aware of data protection and the impact of the new law.
2. Carry out a data audit. Ask yourself what information you hold; where did it come from; why do you need it and who you might share it with?
3. Work out the legal basis that justifies the use of the data.
4. If you rely on consent to use data, make sure the consent complies with the regulations – the changes are significant and historic consents may not be good enough.
5. If you use data about children, how do you check their age and obtain parental consent?
6. Make sure that you have procedures to deal with individual rights to the correction or erasure of data or the provision of data to the individual.
7. Check and update your privacy notices.
8. Ensure you know how to deal with subject access requests.
9. Make sure you know what to do if there is a data breach – failing to deal with it properly may incur an additional penalty.
10. Appoint a data protection officer to take the lead in your organisation.
11. Think pro-actively about data protection. What is the potential impact of the data you hold on a person? How do your systems operate to protect data?
12. Do you use data in more than one EU state? You will need to determine which state’s data protection authority will be the lead authority.
If you need advice or assistance with any aspect of data protection law, contact Geoff Trobridge
We are holding a series of seminars on the new law; for more information visit: