NEWS EXTRA
requires that this relationship be governed by a contract that sets out the parties’ data protection obligations.
Review direct
marketing activities Those that market directly to individuals must ensure that they have a lawful basis in order to use personal data for marketing purposes. An example of this is where firms send marketing emails to a person with their consent. It is not always necessary to have consent before marketing directly to people; however, this will depend upon the specific circumstances. Firms must comply with the GDPR and other legislation including the Privacy and Electronic Communications Regulations (PECR).
Make ‘fair processing information’ is provided
Businesses should ensure that they provide a Privacy Notice to individuals when they first collect their data. The Privacy Notice should explain who the business is, provide its (and the Data Protection Officer’s) contact details, purposes for processing people’s personal data and details of the legal basis upon which the business relies upon for processing the data. It should explain the details of any ‘legitimate interest’ that it may rely upon for processing data as well as the details of any third parties that the data may be sent to. Finally, it should also set out the details of any transfer of personal data that might occur to other countries and inform
individuals about the rights they have under the GDPR.
Register the business as a data controller with the Information Commissioner
If the business processes personal data, then it should register with the Information Commissioner. For more information, see the Information Commissioner’s website:
www.ico.org.uk
Implement policies and procedures to meet GDPR rights Individuals have numerous rights under the GDPR such as the right of access, the right to rectification and the right to erasure. If a firm receives such a request from an individual, it will be important for it to ensure that it responds to the request appropriately and within the one-month time limit. Ensuring that it has policies and procedures in place to facilitate the handling of a request is important in order to ensure that the request is handled correctly and in order to be able to actively demonstrate compliance with the law.
Implement appropriate security measures
Businesses should ensure that their systems for processing personal data – both off and on-line - are physically secure and utilise appropriate technical and organisational measures. This is critical as systems should be tested regularly, possibly via a reputable IT company to test the security and integrity of the firm’s IT systems. It’s fundamental
that data should be password protected with a secure, hard to crack, key.
Conduct staff training The vast majority of data breaches are the result of human error. Ensuring that staff are trained in relation to data protection issues and that the business is able to demonstrate this in the event of a data breach are critical steps towards preventing a breach from occurring in the first place. It may also help in avoiding a financial penalty from the ICO in the event of a breach. Businesses should train all staff and conduct annual refresher training.
Consider whether it is necessary to appoint a Data Protection Officer (DPO)
This is mandatory in some instances – particularly if the business’s core activities consist of regular or systematic large- scale monitoring of individuals. However, even if it is not mandatory, the business may still wish to appoint a DPO in order to ensure that a single person takes responsibility for ensuring compliance. A DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law. A DPO must also meet certain minimum tasks and responsibilities set out in the GDPR.
Implement an effective sysytem for reporting data breaches
Any data breaches must be FASTER STRONGER
THE AWARD WINNING ALUMINIUM LANTERN ROOF FOR GLAZED EXTENSIONS
sales@madefortrade.co Tel: 01642 610799
WARMER SLIMMER
FITTED IN
November 2018
www.buildersmerchantsjournal.net
March 2019
www.buildersmerchantsjournal.net
www.korniche.co.uk
MINUTES 5 SUPPORT ORDER TO DELIVERY FROM A FAST
Working Days Lead Time
9 STAND K10
korniche.co.uk/fitshow
WIN £1000 and be our VIP guest by entering the Korniche Challenge. Can your team be the fastest to install the Korniche?
reported to the ICO within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. It is, therefore, important that the firm has an appropriate process in place to promptly analyse a data breach, reach a determination on whether it is mandatory to report the breach, and doing so where it is necessary.
Conduct a Data Protection Impact Assessment when necessary
If a proposed data processing activity is likely to result in a high risk to the rights and freedoms of individuals and where a type of processing utilises new technology, the business must conduct a Data Protection Impact Assessment (DPIA) before it begins that processing. A DPIA is a risk assessment aimed at identifying potential risks in the proposed processing of personal data in order to enable a data controller to address and minimise those risks if it is appropriate to conduct the proposed processing proposed. A DPIA must be documented.
To conclude
The law is quite clear on what it expects and the punishment that it will mete out if the rules aren’t followed. As recent cases have shown, both individuals and
companies alike can face action. BMJ
Carl Johnson is a partner and head of regulatory at Stephensons Solicitors.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
