Since the new legislation was announced, everyone has been talking about GDPR. This is a good thing, as it has spurred on businesses and individuals to think about the way they store, process and use personal data. However, there have also been a few rumours included along the way and it is about time those myths were put to rest.
No more reminders
I came across a business owner who ran a small medical practice. They asked whether GDPR would still allow them to phone their patients to remind them about their appointments. I’ve come across this example with similar business owners too, who have formed the opinion that GDPR would put a stop to these kind of things, as they would be reported as a breach or misuse of data.
However, this is simply not the case and it is important to address this. If we don’t, we will lose sight of the end game, which is greater transparency and accountability. This type of misinformation will only lead businesses into wrong decisions. The law isn’t about making fines or catching out the unwitting business owner, it is simply about putting the consumer first.
Getting to the truth
The truth is that GDPR must be taken seriously and that there are much bigger fines that exist for businesses that don’t. It is also true that the ICO is committed to guiding and advising about how to comply with the law, instead of companies being apprehensive of it.
The new law comes into force next May – so businesses should make sure they are prepared. The ICO has released 12 steps to take now to make sure you’re ready, these are:
- Building awareness among key staff that the law is changing and the impact it will have
- Document what personal data you have, who accesses it and carry out an information audit
- Review privacy notices
- Check procedures for individuals’ rights, including how you delete or provide data
- Plan how to handle data and privacy requests
- Identify a new, lawful way to process data
- Review how you seek, record and manage consent for personal data handling
- Make sure there are any age verification methods in place, including parent or guardian consent for any data processing activity
- Have the correct procedures in place to detect, report and investigate data breaches
- Familiarise yourself with the ICO code of practice on Privacy Impact Assessments
- Designate an appropriate Data Protection Officer
- Make sure any cross boarder processing is compliant
Any business in need of clarification on any of the above, or further guidance on GDPR should contact Wilkins Kennedy for more information.