The General Data Protection Regulation (GDPR)
The GDPR – General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC)of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
Think Big Tech – GDPR 12 step guide
The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.
This is a living document and we are working to expand it in key areas. It includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative.
- Awareness: have you started to think about whether you need to put systems in place to verify individuals ages and to obtain any parental guidance or consent of any processing data activity?
- Information you Hold: you will need to document what personal information you hold and where it comes from and who you share this data with. You may need to organise an information audit.
- Communicating privacy information: you will need t review your current privacy notices and put a plan in place for any changes that you need to put in place for the GPDR implementation.
- Individual rights: you need to check all your procedures to make sure that they cover all rights to individual’s including , how you would delete personal data and provide electronically and used in a commonly used format.
- Subject access requests: you need to plan how you would handle procedure requests within timescales and provide any additional information.
- Lawfully processing personal data: you need to identify the lawful basis for processing your activity in GPDR and document and update your privacy notice to explain.
- Consent: review how you seek, record and manage consent. If you need to make any changes refresh any existing consents if they don’t meet the GPDR requirements.
- Children: you should start thinking about where you need to put systems in place to verify individuals ages to obtain an parental or guardians consent for any data processing activity.
- Data breaches: you need to make sure you have the right data protection procedures in place to detect and report and investigate any data breaches
- Data Protection and impact assessment’s: you need to famalrise yourself with the ICO code of practice on privacy impact assessment’s as well as the latest guidance in article 29 Working Party, and work out when to implement this into your organisation.
- Data Protection Officers: you should designate someone with your company to take responsibility for the data protection compliance and asses where the role will sit within your organisation structure and governance arrangements. You should also consider whether you are required to formally designate a data protection officer.
- International: if your company operates in more than one EU member state how would you carry out cross-border processing? You can determine your lead data protection supervisory authority by looking at Article 29 Working Party Guidelines will help you do this.
Designed to help you, as a data controller, assess your high level compliance with data protection legislation. Includes the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation. follow this link:
Designed to help you, as a data processor, understand and assess your high level compliance with data protection legislation. Includes the new requirements for data processors, the rights of individuals, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation. follow this link:
Information is publicly available on www.ico.org.uk