FSFRebecca Posted November 20, 2017 Posted November 20, 2017 Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year. I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525] Thing you need to know: GDPR stands for: General Data Protection Regulation The new regulation comes into effect from 25th May 2018 Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them! Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11. This is what early years settings might like to think about in preparation. Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. Use the audit sheet to document the audit process Collate details from 'To Do' list - make action plan Complete action plan! This is #3 of 12 threads which will help you think about what you need to do to be ready for 25th May 3. Communicating privacy information Review existing privacy notice (sometimes called Fair Processing notice) and ensure that it contains the following: Your (as the controller) contact details. What information is being collected. Who is collecting it. How it is collected. Why it is being collected. How it will be used. Who it will be shared with. When it will be deleted. What the effect of this on the individuals concerned will be. Whether the intended use likely to cause individuals to object or complain. The fact that they have a right to access, rectify, delete, restrict, and object to the processing of their data (which we'll come back to in #4 of these posts). The fact that they have a right to data portability (which we'll also come back to in #4 of these posts). The fact that, if you are collecting their data based on consent, that they have the right to withdraw that consent. The fact that they have the right to complain to the supervisory authority. This will draw on the detail you have in the spreadsheet from part #2 Here is specific guidance from the ICO which tells you exactly what to include and how it should be presented: Privacy notices under the EU General Data Protection Regulation 1
Recommended Posts