Our guide to GDPR - Uinsure

Download PDF
0 downloads 236 Views 73KB Size Report
Comment
At that time most businesses did not have a public website, data hosting and online ... In summary, GDPR is the regulati
Our guide to GDPR

Helping you to get ready for the changes to General Data Protection Regulations on 25th May 2018 This publication is for information purposes only, firms should undertake the their own assessment of the GDPR and seek advice if they feel it is necessary.

Time is running out to get ready for GDPR! We are now just days away from the implementation of the new General Data Protection Regulations which come into force on 25th May 2018. For some organisations this will be an enormous hurdle. For some though, it can be an opportunity to understand customer data on a better level. It’s not necessarily something to be scared of, if you were already following the Data Protection Act’s 8 Principles, it’s likely that you are almost there already. This guide is aimed at giving you some last minute, bite-sized pieces of information and some questions to consider to check your readiness.

?

Why are the changes being introduced? Data Protection law and regulation has been in place for many years, however when it was originally prepared the digitally interconnected world in which we operate today was not considered nor legislated for. At that time most businesses did not have a public website, data hosting and online transactions did not exist. People were less concerned about threats to their privacy and the use of their personal data than they are today. To address this gap and to bring previous regulations up to date, European Union General Data Protection Regulation, or “GDPR” is being introduced. And yes it applies, in spite of Brexit.

In a nutshell... In summary, GDPR is the regulation of the use of personal data by organisations whether that be in respect of customers or staff. It’s designed designed to give people more control over their information and personal data. Individuals will have enhanced rights for example through: • • • •

The right not to be subject to automated decision making The right to have incorrectly held data corrected The right to have their data erased (the right to be forgotten) The right to be informed on how their data is used and processed

Key changes to be aware of... • Transparency - Information is to be provided to, and permissions required from individuals to justify the use of their personal data • The definition of “personal data” has been expanded beyond that in the Data Protection Act • New laws requiring firms to report data breaches. • Data subject access requests will now most likely be free, and have to be fulfilled within 30 days. • Enhanced individual rights. • Accountability - Firms with more than 250 employees will have to have an appointed officer responsible for compliance, and others must still be able to evidence good data governance.

FAQs Can anyone ask for their data to be erased? Yes, individuals can always request to invoke their “right to be forgotten” and have their data erased. However, firms and organisations may still have a legal basis for retaining it. Can we charge for a data subject access request? Not any more, unless the requests become unreasonable. Can we send marketing information to customers? You will normally rely upon the customer’s consent as a condition to market to customers, so you will need their permission to send marketing communications. When asking for consent you must do so clearly and not hide your request in wider business T&Cs. There must be a positive opt-in by the data subject (i.e. no pre-ticked boxes, use of assumptions or silence) which must be recorded and capable of being verified. What is personal data? Personal data is specifics about individuals which could potentially be used to identify them. It includes such information as: -Physical attributes -Culture -Economic standing -Political leanings -Psychological or mental status -Other identifying characteristics For a further information there is a wealth of information on the Information Commissioner’s website at www.ico.org.uk

Questions to ask yourself 1. Have you identified the areas of your business which will be affected most, maybe its marketing, maybe HR or maybe the information security side of the firm? 2. Is the Board bought in to the changes needed? 3. Have you reviewed, updated and documented your data protection processes? 4. Have you reviewed, updated and documented your data protection policies? 5. Has the firm got the resources and the skills to address the changes? 6. Have you established how you are going to inform individuals, whose data you hold and process, how you are going to do so? 7. Have you worked out on what legal basis you may retain data? 8. In respect of any marketing, have you ensured that any activity takes place with express consent where it is needed?

What happens if firms get it wrong? The new regulations bring with them penalties for data breaches of up to 4% of a firm’s annual turnover or E20 (approximately £16m) whichever is the greater. As ever the fine is just part of the overall costs of rectification, the absorption of management time, legal fees and reputational harm are also damaging to any business.

Get in touch Our team of UK based insurance experts are here to help. Call us: 0344 844 3844 Email us: [email protected] Website: www.uinsure.co.uk Social media: www.linkedin.com/company/uinsure/ www.twitter.com/UinsureLtd Write to us: Uinsure Customer Services PO Box 1189 Doncaster DN1 9RP

Copyright © 2018 Uinsure Ltd. Uinsure Limited is authorised and regulated by the Financial Conduct Authority. No 463689. Registered office: 8 St John Street, Manchester, M3 4DU