General data protection regulation deadline looming large

25 May 2018 is a date your organisation cannot afford to overlook!


The ‘new and improved’ Act on Data Protection, the GDPR, will come into force. It will apply to all businesses operating across the EEA and will still include the UK, despite Brexit. Even companies based outside the EU which are involved in processing the personal data of EU individuals in relation to offering goods/services, or monitoring the behaviour of individuals in the EU, will also be subject to its requirements.

The new regulation aims to improve data protection standards and to align them better with the digital age whilst supporting the principal that all businesses should handle personal data “fairly and lawfully”.

What is it?

The GDPR will replace the UK’s Data Protection Act 1998 (DPA) but will still include key aspects from it such as the right of an individual (the data subject) to request a copy of the data held on them. The rules governing this particular procedure have altered only slightly and other rules have been added as an extra layer of security. For example, under the GDPR information requests must be dealt with as soon as possible or within a month at the latest. Previously, companies had 40 days to supply the requested information.

How do companies prepare?

The Information Commissioner’s Office (ICO) has issued 12 steps to help businesses prepare effectively for the deadline. These preparatory guidelines should not be ignored as fines will be issued for misuse of data which could amount to 2-4% of global annual turnover.

Here at Allotts, we thought we’d give you a heads up if your head is still in the sand on this one.

12 key points for consideration:

1. Awareness – do decision makers and key players in your organisation know the law is changing to the GDPR?

2. Information held – you need to document what personal data you hold, where it came from and who you share it with. An information audit may be required.

3. Communication of privacy information – you should review current privacy notices and have a plan to make necessary changes in time for GDPR implementation.

4.Individuals’ rights – check your procedures cover all the rights individuals have,
including how you would delete personal data or provide data electronically in a
commonly used format.

5.Subject access requests – plan how your company will handle information requests within the new timescales.

6. Legal basis for processing personal data – analyse the different types of data processing you need to carry out and identify the legal basis for carrying it out and then document it.

7. Consent – review your procedures for seeking, obtaining and recording consent. Are changes necessary?

8. Children – put systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

9. Data breaches – make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments – familiarise yourself with the ICO guidance on Privacy Impact Assessments and work out how and
when to implement them.

11. Data Protection Officers – you should designate a Data Protection Officer or
someone to take responsibility for data protection compliance and assess where this will sit within your organisation’s structure and governance arrangements.

12. International – you need to determine which data protection security authority you come under.

A major point for marketing departments to focus on, is the issue of consent. When asking customers to submit their information, web pages need to be set up in such a way as to ensure that tick boxes remain unchecked and the customer checks it themselves. You also need to give clear information about how their data is intended to be used.

If you are sending out a company newsletter, for example, the receiver must have physically opted in themselves. You cannot carpet-bomb and then ask them to unsubscribe.

Consent is also required for audience profiling and any individual whose data you hold will
have the right to correct any information you store.

We are just nudging you in the right direction with this information – it is now crucial that your organisation begins to plan its data protection strategy carefully to be ready for next year’s deadline.