The GDPR is set to replace the Data Protection Act on 25th May 2018. The new regulation seeks to ensure that all companies within the EU (and who trade within the EU) follow the same set of rules when it comes to protecting their clients’ personal data. It is highly important that all companies take measures to prepare for the introduction of the new regulation well in advance of the implementation, as such, we’ve put together 5 of the most important GDPR requirements that you should be aware of:
1. Explicit Consent
Under the new General Data Protection regulation, companies must provide their customers or customers with the opportunity to explicitly consent to the storage of their personal information. Unlike the DPA, a simple ‘opt out’ clause will not suffice. Customers will have to actively express their consent for a company to have the right to store and process their information, rather than this being a given that they can to choose to opt out of later. Customers will need to provide consent for each individual piece of information, rather than bundling it as a whole. The idea is that indivduals have more freedom over the type of information that companies store about them, and can choose to retract their consent at any point.
2. Demonstration of Compliance
It won’t be enough for companies to simply comply with the GDPR, they must also be able to prove the ways in which they comply. This will mean clarifying data security policies and training every member of staff so that they understand the importance of following these policies. Companies will also need to be able to provide proof of how they store each individual piece of information, if they are asked to do so.
3. Data Breach Reporting
In theory, if companies are compliant with the GDPR, they are unlikely to fall victim to data breaches. However, if a company does suffer a data breach, they will need to report it to supervising authorities and the individuals affected within 72 hours of it happening. Failure to do so could result in penalties that are even tougher than the existing fines for failing to comply to the GDPR.
4. Liability Extends Beyond Controllers
Under the Data Protection Act it was only data controllers that were responsible for data security. The new regulation, however, means that all organisations that deal with personal data- for whatever purpose- are liable. This includes companies that have minimal contact with data, such as companies that provide data processing services to the controller. No matter how minimal the contact with personal data, compliance is still mandatory.
5. The Appointment of a Data Protection Officer
Article 37 of the GDPR states that public authorities, data controllers and processors who regularly and systematically process data subjects on a large scale and data controllers whose main job is to process, on a large scale, sensitive data or data relating to criminal convictions and/or offences, must appoint a Data Protection Officer (though it is advised that all companies appoint one). This DPO will have expert knowledge of what the company needs to do to comply with the GDPR, ensuring that all staff are trained and aware of their data protection obligations. The DPO will also be responsible for answering any queries regarding the company’s data security.
The GDPR effectively calls for companies to be more acutely aware of how they store and process their client data. Given that the penalties for non-compliance are so strict- up to €20 million or 4% of global annual turnover, whichever is higher – it is easy to see the need to comply to the new regulation as a burden. However, you should really see the GDPR as a chance to firm up your company’s data security, so that your clients and/or customers can rest assured that their information is in safe hands.
To find out more about how EOL can ensure you remain GDPR compliant for IT Asset Disposal, contact us today https://www.eolitservices.co.uk/contact/