Information Commissioner’s Office for GDPR regulations

安博电竞比赛押注登陆

We wrote in a previous blog about GDPR and how it effects every business in the UK, as well as any global company holding data on businesses in the EU. There are a lot of people concerned about the General Data Protection Regulations (GDPR) regarding what it means and what you must do to be covered. A lot of these are companies trying to sell solutions that are either directly or loosely related and care must be taken to not buy something that isn’t actually required.

The suggestion here is to start with the Information Commissioner’s Office, the ICO , as they are providing a lot of independent advice and are the people dishing out fines. Their document “ Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now ” gives a good overview providing an understanding of the areas covered and what needs addressing. To help you to get the ball rolling, this blog is a short summary of those points.

Disclaimer

All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice.

1. Awareness

It is important that key people in your organisation are aware of GDPR and the direct implications to the business. Due to the significant implications to your organisation, GDPR may effect systems, procedures and resources. The sooner this is managed by your company the easier it will be to be compliant.

Information Commissioner’s Office advice on securing data under GDPR regulations

2. The Information that You Hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.

3. Communicating Privacy Information

A key element to GDPR, as it was in the DPA, is transparency and providing accessible information about how you will use personal data. The most common practice is to provide a privacy notice, for which the requirement under GDPR is extended over the DPA.

4. Individual’s Rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision-making including profiling.

5. Subject Access Requests

You will be required to respond to requests about the data that you hold within 1 month, such as what data and why you are holding it. You are not generally allowed to charge for access requests, however there are exceptions for requesting pay or refusing in extreme circumstances. If you have automatic processing of data, such as ratings, credit checks, etc, there is a separate set of rules.

6. Lawful Basis for Processing Personal Data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Information Commissioner’s Office advice on consent under GDPR regulations

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Unlike the DPA, there must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must not be a mandatory part of the provision of products or services; for times when data collection must be taken as mandatory (such as for credit checks) then alternative lawful basis must be in place.

8. Children

You should start considering putting systems in place to verify individual’s ages, as children’s personal data may require consent from a guardian for anyone under 16 ( this may be lowered to 13 in the UK).

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact Assessments

The GDPR makes privacy by design approach an express legal requirement. In some circumstances it is mandatory to carry out a Privacy Impact Assessment (PIA), now referred to as ‘Data Protection Impact Assessments’ or DPIAs.

11. Data Protection Officers (DPO)

Organisations such as public authorities are required to appoint a DPO. However, irrespective of whether you are required to have a DPO, you are advised to designate individuals to take responsibility for the data protection compliance in your organisation.

12. International

If you process data across a number of EU member states, you are advised to follow the authority of the data protection supervisory authority in the country that you complete the most significant decisions about processing activities.

Stay Tuned for More GDPR Information

In our next GDPR blog we will be looking at providing more information on addressing the legislation from a practical point of view. We will also look at how both the Microsoft offerings and our own solutions will help with addressing those points, which will hopefully give an idea of what you need to do with your own systems. If you would like to stay up to date with our news please sign up.

Sign up for updates

Posted by Jesse Lawrence 13 Jul 2017

Industry , GDPR

Jesse Lawrence

Jesse is our marketing manager, keeping an eye on the latest news in the market as well as having worked on the GDPR legislation.

Latest Blog Posts

安博电竞 Central updates at 安博电竞 Changes July 2022

07 Jul 2022

安博电竞 Consultants take to the track!

04 Jul 2022

How to fix 安博电竞 Central sliders displaying in the wrong place

01 Jul 2022

See all

I find their approach to our relationship very professional whilst being refreshingly realistic. We now consider them to be part of our team
⭐⭐⭐⭐⭐
Technical Director, Bainbridge International