GDPR Compliance Framework

What is GDPR?

GDPR is the European Union’s General Data Protection Regulation which comes into force on 25 May 2018

 

Why is it significant?

In GDPR, The EU is leading the globe in the shake up in Data Protection.  For citizens, the regulation is a good thing.  For businesses and organisations that manage personal data, compliance will take time and effort.  The regulation is applicable for any EU citizen on the planet regardless of where they live.  Thus, if a US company has customers in the United Kingdom the management of the customers data must be in accordance with the EU’s General Data Protection Regulation even though the United States is not located in Europe.

 

How will Brexit affect GDPR?

The General Data Protection Regulation comes into effect before the United Kingdom Leaves the EU.  The UK Government have demonstrated their commitment to establishing it in to UK law post brexit with their Data Protection Bill.

 

Do I have to comply with GDPR?

As an EU Regulation GDPR compliance is mandatory.  Significant financial penalties exist for those organisations that fail to adequately protect the data they hold, and report any data breaches within 72hrs.  Should a breach occur, the organisation may be further vulnerable to affected parties seeking financial compensation, as well as the strategic threat to reputation and trust.

 

What about the Data Protection Act?

The GDPR replaces the Data Protection Act and changes significantly the controls and processes governing how data , of employees, customers , suppliers, donors and volunteers must be managed and protected.

 

What has changed?

Right to erasure – The right to be forgotten

Subject access requests

Establishment od Data Protection Officer role.

 

 

How do I ensure that I comply with GDPR?

The Information Commissioners Office has set out the 12 step control framework for achieving GDPR compliance.  Click on each of the tabs below to learn more about each control.

 

Prepare

Who do you collect personal data from? Customers, staff, volunteers, donors, businesses

What personal data do you collect?

Where do you collect data?

How do you collect data – web page contact form, email,

Why do you collect data – legal basis? Ensure a register of all data collected and the justification for it.

Where do you store collected data

How long do you hold selected data?

How do you deleted selected data?

How do you anonymise data?

Education Likely tasks

GDPR baseline briefing

GDPR bytes

 

Training

Update policy

Update Policy

Register with ICO

Data Protection Officer

Customer Relationship Management System

Data Impact Assessments

 

Detect

How will you know?

What processes do you have?

Respond

Data Breach

Subject Access Request

Reporting Data Beaches

Recover