Make it simpler to withdraw consent for the use of personal data Allow people to ask for their personal data held by companies to be erased Enable parents and guardians to give consent for their child’s data to be used Require ‘explicit’ consent to be necessary for processing sensitive personal data Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA Update and strengthen data protection law to reflect the changing nature and scope of the digital economy Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them Make it easier for customers to move data between service providers. Under the plans individuals will have more control over their data by having the right to be forgotten and ask for their personal data to be erased. This will also mean that people can ask social media channels to delete information they posted in their childhood. The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past. Businesses will be supported to ensure they are able to manage and secure data properly. The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue higher fines, of up to £17 million or 4 per cent of global turnover, in cases of the most serious data breaches.
New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data.
Back to Contents
Have you begun any data preparation for GDPR? 15 August 2017
In a CIPP poll 31% of respondents have begun data preparation for the General Data Protection Regulations (GDPR), however almost the same amount (29%) had not heard of GDPR.
During July 2017 the CIPP ran a poll asking about employer readiness for May 2018 when the General Data Protection Regulation (GDPR) is implemented in the UK. We received 343 responses in total.
It is encouraging that almost a third (31%) have begun data preparation and just over a third (34%) have a plan in place to start preparation.
However 29% stated that reading the poll was the first time they had heard of GDPR and the remaining 6%, although having heard of GDPR, did not think it is applicable to their organisation. If you fall into these two categories it would be beneficial to read on.
GDPR preparation (excerpt from CIPP half day training course )
The objectives of the preparation for GDPR should be to ensure that: the organisation can demonstrate its services and operations comply with GDPR the risk of reputational damage and financial loss from regulatory actions and legal claims is reduced or mitigated.
As part of the preparation for GDPR you should assess current compliance with the Data Protection Act (DPA) 1998. As a first step seek answers to, at least, the following questions:
7. Which business processes handle and store sensitive data? 8. Where is all of the sensitive data stored?
9. Do suppliers and third parties only process personal data as authorised? 10. Are risks to personal data being managed effectively (and in line with GDPR)? 11. Are reports of compliance compiled and retained? 12. Can the data held be retrieved in the appropriate format (e.g. csv) if requested?
For questions 1 and 2 it is important to review the organisation’s data flows. An audit of the data flows will allow the organisation to:
The Chartered Institute of Payroll Professionals
Policy News Journal
cipp.org.uk
Page 46 of 516
Made with FlippingBook - Online magazine maker