What is GDPR?

The General Data Protection Regulation (GDPR) will replace the existing Data Protection Act in May 2018. It is the first major review of data protection for 20 years. GDPR extends the rights and freedoms of data subjects and places far more responsibility on organisations to process data fairly, accurately and securely.

Penalties for non-compliance have been increased from a maximum of £500,000 to a potential £20m.

How is it implemented?

Organisations can recruit a professional privacy expert, train an existing member of staff or use a compliance consultancy to implement the rules, procedures and guidelines of a privacy policy. Considerable savings can be achieved by using the consultancy option, along with continuous monitoring without the worry of holiday and sick cover. This is important because if there is a data breach it must be reported to the Information Commissioner’s Office (ICO) within 72 hours.

Training all staff in data protection awareness is part of compliance too. In addition to this an organisation will need to appoint a Data Controller, mainly in the form of a Data Protection Officer. GDPR recommends that organisations should adopt ‘Data Protection by Design’ and this means identifying other people to become Information Asset Owners (IAO) and a board member to become the Senior Information Rights Owner or SIRO. These are recommendations but adoption of such a structure plays an important part in demonstrating compliance.

Contact us