European Union will adopt General Data Protection Regulation by 25 May 2018. The law will bring major changes to European Data Security. It will hold businesses accountable for the security and transparency of consumer information they hold. Worldwide organizations that hold consumer data will prove to be a major game changer.
With the implementation of the law, organizations have to change their data practices. Starting from 25 May 2018, companies that collect consumer data will have to take consent of the consumers in clear and simple terms. If the user wants the company to erase the data, the company must take it seriously.
The problem is how the companies can make sure that they are following the law and avoid 4% fines of global turnover. The law amendments would require companies to change their data practices. Knowing bits and pieces of GDPR might be quite challenging for companies and getting started in a short span would add fuel to the fire.
If you are one of those companies, let’s have a look at how you can take the necessary steps.
Ensure everyone Knows about the Law
From top to lower level of hierarchy including senior staff and trustee board, make sure that everyone knows about the amendments to the law. Everyone must know about what decisions need to take in order to implement GDPR rightly. They must be aware that the implementation might need considerable time and effort. If the things are not taken seriously and left to the last minute, your company might find it difficult to prepare for it.
Identifying the Data You Hold and Source of Data
If you don’t know the origin of data or personal data that you hold, you need to hold an audit session in various departments to find out. The data will include everything from your personal data to services users, and donor and supporters to employees and volunteers.
Everything must be documented, as GDPR requires you to keep the record of your processing activities. The data must also be recorded if you share it with any third party.
Make Changes in Privacy Policies
The GDPR requires you to tell everything to the people on behalf of what data you collect. Moreover, you should make it understandable and easy for them to understand how you intend to use their data. The privacy policy is a great way to inform people about their data collection and usage.
Privacy policies are not new to anyone as every website is filled with the disclaimer and no one ever reads. Now it is time to do so. Under GDPR privacy notices it requires you to give additional information including how long you will keep data for and what lawful basis you have to process data.
Ensure to Meet Individuals’ New Rights
GDPR give rights to the people over their data. For instance, GDPR gives the right to an individual to get their personal data deleted. The following rights of individuals are stated as below:
- The right to be informed
- The right to amendment
- The right of access
- The right to remove
- The right to restrict processing
- The right to object
- The right to data portability
- The right not to be subjected to automated decision-making including profiting
The rights are similar to those that were stated in DPA, however with some significant advancements.
Evaluate and Update Request Procedures
The individuals have every right to know what data you collect on behalf of them, why data is being processed and will it be shared with any third party. They have the right to get the information in a hard copy also known as a subject access request. Your company must be capable enough to recognize a subject access request, find relevant data and fulfill within one moth of receipt of the request.
Identify, Document and Explain Lawful Basis
You must have a lawful basis for processing the data legally under GDPR. For instance, it is a lawful basis to process personal data in order to deliver a contract on your behalf with an individual. There are different standards to give you a lawful basis to process. Understand and document what lawful basis you need to process data with the help of ICO guidance on a lawful basis.
Analyze How You Get Consent to Use Personal Data
If you are depending on consent as your lawful basis for treating personal data, you need to analyze how you pursue and manage consent. According to GDPR, consent must be freely given and can be withdrawn easily. You can depend on silence, idleness to gain consent or pre-ticked boxes.
Give Children Extra Protection
Majority of charities support young people and children. The new guidelines of GDPR come with special protection for children’s personal data. According to GDPR, children under 16 years of age cannot give consent, which requires you to take consent from their guardian or parent. It must be assured that person giving consent on behalf of children is permitted to do so. Moreover, the privacy statements need to be written that is easily understandable by children.
Be Prepared to Identify, Report and Investigate Personal Data Breaches
The data breach is a breach of security that leads to unlawful destruction, loss, unauthorized disclosure, access to personal data or alteration. You need to ensure right practices in place to identify, inspect and report a personal data breach.
GDPR comes up with a duty to report particular types of data breaches to the ICO and in some cases of the individuals concerned. You have to be competent enough to prove that you have suitable technical and organizational measures in place to defend against a data breach.
Build Data Protection into Your New Projects
Privacy by design is all about developing data protection in your new projects and services. The GDPR has made privacy by design as a rapid legal requirement. Data Protection Impact Assessment should be commenced especially when it comes to deploying new technology, where reporting may considerably affect individuals or sensitive categories of data, will be processed on a larger scale. Make sure to assess who will be accountable for carrying out impact assessments, when you will use them and how will you record them.
Decide who will be Answerable for Data Protection in Organization
An external data protection advisor or someone from your own company has to take charge for compliance with data protection legislation and have knowledge and authority to conduct it. A few companies will require appointing a data protection officer that conducts large-scale processing of sensitive personal data like criminal or health records.
Data Protection and Fundraising
When it comes to fundraising, use of personal data is vital. There has been a great deal of media and public scrutiny of fundraising methods. If you are using personal data to fundraise, you need to follow the updated guidelines on fundraising and data protection.