Integrated MRP solutions from the experts >

Off the shelf professional e-Commerce web store that grows with you

Get the Office 365 - Free Trial! Try now for 1 month with no obligation.

ICO Advice on GDPR Legislation, Essential Reading

The 12 Points to Cover in GDPR

We wrote in a previous blog about GDPR and how it effects every business in the UK, as well as any global company holding data on businesses in the EU. There are a lot of people concerned about the General Data Protection Regulations (GDPR) regarding what it means and what you must do to be covered. A lot of these are companies trying to sell solutions that are either directly or loosely related and care must be taken to not buy something that isn’t actually required. 

Information Commissioner’s Office for GDPR regulations

The suggestion here is to start with the Information Commissioner’s Office, the ICO, as they are providing a lot of independent advice and are the people dishing out fines. Their document “Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now” gives a good overview providing an understanding of the areas covered and what needs addressing. To help you to get the ball rolling, this blog is a short summary of those points.

Disclaimer

All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice. 

1. Awareness

It is important that key people in your orgainsation are aware of GDPR and the direct implications to the business. Due to the significant implications to your organisation, GDPR may effect systems, procedures and resources. The sooner this is managed by your company the easier it will be to be compliant.

 

2. The Information that You Hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.

Information Commissioner’s Office advice on securing data under GDPR regulations

 

3. Communicating Privacy Information

A key element to GDPR, as it was in the DPA, is transparency and providing accessible information about how you will use personal data. The most common practice is to provide a privacy notice, for which the requirement under GDPR is extended over the DPA.

4. Individual’s Rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling.

5. Subject Access Requests

You will be required to respond to requests about the data that you hold within 1 month, such as what data and why you are holding it. You are not generally allowed to charge for access requests, however there are exceptions for requesting pay or refusing in extreme circumstances. If you have automatic processing of data, such as ratings, credit checks, etc, there is a separate set of rules.

6. Lawful Basis for Processing Personal Data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Unlike the DPA, there must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must not be a mandatory part of the provision of products or services; for times when data collection must be taken as mandatory (such as for credit checks) then alternative lawful basis must be in place.

Information Commissioner’s Office advice on consent under GDPR regulations

 

 

8. Children

You should start considering putting systems in place to verify individual’s ages, as children’s personal data may require consent from a guardian for anyone under 16 ( this may be lowered to 13 in the UK).

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments

The GDPR makes privacy by design approach an express legal requirement. In some circumstances it is mandatory to carry out a Privacy Impact Assessment (PIA), now referred to as ‘Data Protection Impact Assessments’ or DPIAs.

11. Data Protection Officers (DPO)

Organisations such as public authorities are required to appoint a DPO. However, irrespective of whether you are required to have a DPO, you are advised to designate individuals to take responsibility for the data protection compliance in your organisation.

12. International

If you process data across a number of EU member states, you are advised to follow the authority of the data protection supervisory authority in the country that you complete the most significant decisions about processing activities. 

Stay Tuned for More GDPR Information

In our next GDPR blog we will be looking at providing more information on addressing the legislation from a practical point of view. We will also look at how both the Microsoft offerings and our own solutions will help with addressing those points, which will hopefully give an idea of what you need to do with your own systems. If you would like to stay up to date with our news please sign up below.

Stay tuned for more GDPR information and advice

 

 

What will we do with your data? See our Privacy Policy for more information.

Archive

Tags