GDPR - How ready is your business?

Ian described the key changes that differ from the original 1998 Data Protection Act. Discussing the following;

• Breach notifications and how it is now mandatory to report any breach (within 72 hours) not only to the ICO but also to the person concerned if there is risk to that individual rights and freedoms.
• Individual Rights and how an individual can ask, free of charge, for details about the information that you hold on them . Also how you now have to supply that information as soon as possible but less than the previous 40 days. Individuals also have other rights; the right to be forgotten, the right of rectification , the right to data portability and right to object to data profiling.
• Data Protection Officers ( DP0) Ian pointed out that this usually a voluntary not mandatory requirement but there are exceptions where a DPO is mandatory.
• Explicit Consent, Ian asked “ do you have explicit consent from individuals for the data you hold about them”?
• Increase in fines, these can be severe up to 4% of annual global turnover or 20 million euros (whichever is the greater) can be imposed

Ian continued by saying that KMPG have been advising their clients that the main focus of business is to be review and put processes in place. His order of importance was:
• Governance
• Individual Rights
• Incident Reporting
• Training
• 3rd Party agreements
• Data
Ian went on to discuss areas of facts and fiction and advised the ICO were also focussing on nuisance calls and areas of public interest. Finally he reminded everyone of how the Privacy and Electronic Communications Regulations(PECR) laws align with GDPR.