If you’re reading this and thinking “what is GDPR?”, or you’ve heard of GDPR but your organisation is yet to begin preparing, it’s not too late to start your readiness strategy.
With the aim of enforcing stronger data security and privacy rules among organisations when it comes to protecting personal data, the General Data Protection Regulation (GDPR) is set to replace the Data Protection Act on 25th May 2018. It’s important that your organisation understands the key elements of the Regulation and takes appropriate protection measures to ensure the data you hold is audited, well documented and that all your data collection procedures are GDPR compliant.
So why is GDPR so important? Non-compliance could put significant financial strain on your organisation. Your organisation could be liable for penalties up to €20 million or 4% of global annual turnover (whichever is greater), even if you weren’t directly responsible for the breach. Not to mention the reputational damage incurred. GDPR could mean the beginning of the end if it’s ignored.
Take the first step to GDPR readiness by completing the Capacity GDPR Health Check. Spot gaps in your organisation and address them now to ensure that your organisation is GDPR compliant.
Some of the terms used in the GDPR Health Check may sound unfamiliar. Be sure to familiarise yourself with key terms and phrases before you answer the questions:
This is the first step in achieving data compliance; you need to understand and designate who in your business owns data.
Unambiguous indication or clear positive action an individual gives (via verbal agreement, or expressed in writing) signifying that they agree with the processing of their Personal Data. Consent can also be called ‘permissions’.
The organisation that collects and uses Personal Data. The Data Controller is a person who (either alone, jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
The organisation that processes personal data on behalf of the Data Controller. The Data Processor is any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller.
The way to identify any risks in the methods used to process data.
The individual or legal entity with the responsibility to advise and inform the Data Processor (including the employees who carry out the processing) of their obligations under GDPR.
The data subject is the individual the personal data is about.
In legal terms, a natural person is a person that is an individual human being.
A person’s data (name, ID number, location data, online identifiers or one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of the natural person).
Any bit of information (data) that allows you to identify an individual person.
The Data Subject’s right to ask a Data Controller for all the Personal Data they hold concerning them – free of charge.
The Data Subject’s right to request that they are erased from your database ‘without undue delay’.
The Data Subject’s Right to prevent the processing of Personal Data. This doesn’t mean you have to delete it, but you cannot do more than store it (although make sure to keep enough information to ensure their wish to ‘block processing in the future is respected.
We are eager to speak to people about new projects so please use the form below to start the conversation.
Capacity: The Public Services Lab
Queen Insurance Building,
24 Queen Avenue,
Telephone: 0151 305 1045