Getting ready for GDPR – 25 May 2018

There are new Data Protection legal requirements coming into effect on 25 May 2018, meaning there are now 12 weeks to ensure you’re compliant.

The new EU wide General Data Protection Regulation (GDPR) replaces the current Data Protection Act 1998 and applies to all organisations regardless of size. It extends and strengthens the rights of individuals.

Here at Energy & Utility Skills we are working to ensure we are compliant and we also need to ensure that our approved trainers and providers are compliant when working with us, so we will be in touch in the coming weeks.

GDPR reverses the burden of proof. Organisations must now demonstrate their compliance with GDPR to the Information Commissioner’s Office (ICO) and new fines are being introduced (up to 4% of an organisation’s global turnover or €20m, whichever is the higher amount). There are also new breach notification timescales, and any data breaches must be reported to the ICO within 72 hours. The latest guidance is that Brexit won’t affect the implementation or on-going compliance with GDPR.

Some considerations for all organisations:

  • If you are collecting and processing personal data, you need to determine whether you are a “Data Controller” or “Data Processor” or both.
  • Are you clear on the reasons why you are collecting and processing personal data? There has to be a legitimate purpose or explicit consent.
  • There are new rules being introduced for consent – collection and processing of personal data needs to be for a specific purpose, an individual must ‘opt-in’ and not ‘opt-out’, and be given the ability to freely withdraw their consent.
  • Are you collecting and processing ‘sensitive data’, for example ethnicity? If so, you must be absolutely clear on the reasons why.
  • Is the personal data you are collecting and processing adequate, relevant and limited to your purposes?
  • All reasonable steps must be taken to ensure that the personal data you store is accurate and kept up to date.
  • Personal data must only be retained for as long as you need to.
  • There must be appropriate technical and organisational measures in place to protect personal data.

For more information about GDPR and how the changes will affect your organisation, click here.