4 years ago, the world was introduced to the General Data Protection Regulation (GDPR). GDPR took over from the previous Data Protection Act (DPA) which was deemed to have some gaps within it. GDPR aimed to provide a clear and concise way to protect people’s personal data. It imposed new rule changes that offered goods and services to the people of the EU and people tied to the EU. It established:
- Enhanced personal privacy rights
- Increased duty for protecting data
- Mandatory breach reporting
- Significant penalties for non-compliance
Key changes that occurred
There were key differences that people/businesses noticed between GDPR and DPA compliance. One is that GDPR allowed individuals the right to access their personal data, wipe this data if they want and even export it to themselves. Another was that they had much more control over it; People were allowed confidentiality and had to have appropriate consent for data processing.
What businesses needed to know
GDPR meant that businesses had to become prepared for the unknown. They would have to start addressing any issues that would occur such as budgeting, changing IT setups and governing implications. For financial firms, this was also deemed rather tricky and meant that they had to change the way they do things.
A great compliance solution that people caught on to was the fact that they could hire a compliance department / outsource this and they could do all of the nitty-gritty work that they didn’t want to/felt they lacked the capacity to do.
Businesses had to update privacy notices
Collecting personal data for businesses was always a crucial way that they could work around their market strategy, and normally this would fall under DPA compliance rules. However, with it changing to GDPR there were a few changes that businesses had to be made aware of. Businesses had to explain themselves more and what they were collecting this data for. Some things they had to make aware of were:
- your legal basis for processing the data
- your data retention periods
- their right to complain to the ICO if they think there’s a problem with how you’re handling their data
Document all of your findings
GDPR means that some people’s rights will be tweaked depending on the legal basis of their personal data. For example, if they have previously decided to delete their data for whatever reason, and you wish to access this data, you will have to go through certain legal processes.
Put measures in place
Sometimes there are issues that can occur out-with the business’s control and data breaches can occur. The best thing a business can do is think ‘’when’’ and not ‘’if’’ in these circumstances Having measures in place with GDPR at the back of the mind can help less damage happening. Set out procedures to detect, report and investigate personal data breaches and then there will be a lot of confidence from consumers for the business.
Even after 4 years, there are uncertainties with GDPR and how secure this is. The best thing you can do is carry out a privacy impact assessment (PIA) on a high-risk situation. By doing this you are able to prepare for the worst possible outcome if you fail and gives you a direct insight into what needs to be fixed within your policy.
Appoint a data protection officer (DPO)
Similar to a compliance department, a DPO is basically just in charge of the company’s compliance regulations and overall GDPR safety. Having someone in place that will be able to look after this around the clock is the safest thing that any business can do and would be one of the main things we recommend.