Yet again our working world is presented with more acronyms. So what is GDPR and what does it mean to you?
What is GDPR?
GDPR stands for General Data Protection Regulation and will be implemented on 25th May 2018. It’s all about strengthening and unifying data protection for all individuals within the European Union.
It is the biggest overhaul of data protection legislation for over 25 years and introduces new requirements for how organisations process personal data. Just because, however, it is new legislation, it doesn’t mean everything is changing. It is more legislation is evolving to ensure better protection for all.
GDPR will apply to all organisations across all sectors for all data held and processed, whether it be on staff members, volunteers or service users, for example.
Understanding what is meant by personal data.
When you mention personal date you automatically just think of names and contact details. To be clear, it refers to anything which can individually identify a person.
The necessary steps to being GDPR compliant?
As we look after your apprentices, we are obviously taking important steps to ensure we are compliant. If an organisation isn’t compliant there are risks of fines ( up to £20 million, or 4% of annual global revenue if that is greater), damage to your organisation’s reputation and of course risk of lawsuits.
To help you get better prepared, we want to share some of the steps we are using to ensure we are GDPR compliant:
- Make sure all decision makers, and key members of staff, are fully aware of what GDPR is.
- We are reviewing all date we hold and how it is stored (both electronically and as hard copy). By review, we also mean checking how the information was obtained and who (if anyone) it is shared with (and does that information really need to be shared with those is has been or will be).
- We are reviewing our privacy notices, ensuring everyone (especially our apprentices) are fully aware as to why we request their personal information and what will happen to it. We also have ensured they provide appropriate consent to allow us to use their information where necessary, and will continue to do so as we move forward.
- Remember individuals’ rights! Again it is more review and ensuring our procedures cover all the rights individuals have, including how personal data would be deleted or provide data electronically and in a commonly used format.
- Don’t forget consent!
- We are noting that individuals are able to access what information we hold on them. Should a request be made we will need to ensure this is provided within one month of request. You also cannot charge for processing this request. Individuals can request for confirmation that their data is being processed, access to their personal data, and other supplementary information, for example information that should be provided in a privacy notice
- When processing personal data we will be ensuring it is lawful and documented, and the methods we use in doing this will be detailed in our privacy notices. You should also note that individuals will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
- Data breaches are serious. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is therefore vital you detect, report and investigate a personal data breach should one occurs. Ensuring, however, you have all correct procedures in place you should be able to avoid this.
- We have assigned a member of our team to take responsibility for data protection compliance. From your organisation’s perspective, assess where this role will sit within your organisation’s structure and governance arrangements. You could even consider appointing a Data Protection Officer.
Where else can we access information on GDPR?
- The ICO is an obvious one https://ico.org.uk/
- Many legal firms have developed their own factsheets on GDPR, which can help you in the prepare.
- Speak to us! We are ensuring we are GDPR compliant and we would be happy to help if you have any concerns.