GDPR (General Data Protection Regulation) is a new EU law which will apply from the 25th May 2018 and will replace the current Data Protection Act.
Many organisations have already been planning to ensure that the changes and new requirements for data protection and privacy practices will be met. It’s the biggest change in the data protection legislation for over 25 years.
If you are processing EU residents’ personal data then the rules apply, regardless of where you are located. There are no exceptions for the not-for-profit sector.
Here are some key steps that organisations should be preparing for;
1. Managing your data
Data needs to be kept up to date and accurate. Processes need to be in place to ensure that data isn’t held when it is not actually being used or if it is no longer needed for the organisation. Individual’s rights will be strengthened and they will have a right to request for data to be removed or ported somewhere else.
2. Data breach notification
The data protection authorities will need to be notified of any breach in data protection within 72 hours. Organisations also have a duty to ensure that individuals are notified of any serious breach.
3. User Access
Another key change will be that users have a right to access their own personal data and can make access requests to check the data held on them at any time. This means organisations should plan in advance as to how they will handle requests.
4. Opt in v Opt Out
The changes coming into effect with GDPR means that those areas that have pre-ticked boxes giving consent won’t be acceptable. The new regulation will state that pre-ticked boxes and ‘silence’ will not mean consent has been given to use their data and consent will still be required by law to send an SMS or marketing email to an individual.
5. Accountability and Governance
Although most organisations will already have good governance in place, GDPR will increase the requirements for transparency and accountability.
Organisations are expected to have the necessary governance in place for privacy which ultimately, should reduce the risk of data breaches and protect the use of personal data.
This is something that should have all been reviewed by now as part of the GDPR compliance work that needed to be carried out by all organisations so they are ready for the change by the 25th May 2018.