Are you GDPR ready? Since the enactment of the Data Protection Act, 1988, and with GDPR (General Data Protection Regulation) coming on-stream from 25th May 2018, the legal obligations and requirements to safeguard personal data have grown. As an SME your responsibility covers all functions associated with personal data gathering, storing, accessing, safeguard and disposal in line with the rules of data protection legislation.
As has become apparent over the past few weeks, with data misuse by the likes of Cambridge Analytica, and the role of Facebook in the mishandling of consumer data; data protection in the context of business is vitally important.
Failure to comply with the new General Data Protection Regulation can lead to heavy fines. Are you GDPR ready? If you are not so sure we are running a FREE information session on Friday 11th May which will help you to become clear on what is required of you and your business.
In preparation for this and to help those of you questioning are you GDPR ready, we have compiled an abridged list of useful information.
The Irish Data Protection Act 2018
- Data Protection Acts of 1988 and 2013 repealed in part
- Provisions relating to processing of data for National Security, defence and International relations remain
GDPR as applicable from 25th May 2018
- European wide framework which will change the rules of data protection providing a more uniform application and interpretation of data protection standards across the EU
- Member states will retain some flexibility in certain areas and can make their own laws in these areas
- Higher standards of data protection for individuals is provided by GDPR
- Increased obligation imposed on organisations that process personal data
- Range of possible sanctions for infringement of these rules is increased
How it applies to SME’s
- Organisations and businesses must be fully transparent about the use and safeguarding of all personal data
- Must be able to demonstrate accountability for data processing
Preparatory steps for the GDPR
- Review and update risk management processes
- Inventory all personal data held – why do you hold it, do you still need it, is it safe?
- Review data privacy notices and keep service users informed
- Ensure procedures cover all individual’s rights including deletion and data portability
- Plan how to deal with data requests – new timescale of one month implemented
- Make sure you meet the standards of GDPR
- Review methods of seeking, obtaining and recording consent
- Make sure you have adequate means to verify age and gain consent from guardians
- Ensure that data privacy is core to all future projects
- Ensure procedures to detect, report and investigate data breaches. Reporting is mandatory
- Do you need to designate a Data Protection Officer ?– If so make sure they are fully aware of all procedures
- If you are engaged in cross-border processing then identify your main EU establishment so the you can establish your lead supervisory authority
Responsibilities/role of the Data Controller and the Data Protection Officer
- Support organisation’s compliance with GDPR
- Act as intermediary between relevant stakeholders
- Have professional standing, independence and expert knowledge of data protection
- A DPO may be a member of staff with appropriate training and of the appropriate level, or an external DPO
Using ISO 27001 to Demonstrate conformance
- Provides a framework for information security management best practice
- Protects client and employee information
- Manage risks effectively
- Achieve compliance with GDPR