Directions EMEA 2024
Directions EMEA 2024 Vienna updates and news from our team at the event. Get Business Central Updates.
Essential Reading
ICO Advice on GDPR Legislation, Essential Reading
Jesse Lawrence
The 12 Points to Cover in GDPR
We wrote in a previous blog about GDPR and how it effects every business in the UK, as well as any global company holding data on businesses in the EU. There are a lot of people concerned about the General Data Protection Regulations (GDPR) regarding what it means and what you must do to be covered. A lot of these are companies trying to sell solutions that are either directly or loosely related and care must be taken to not buy something that isn’t actually required.
The suggestion here is to start with the Information Commissioner’s Office, the ICO, as they are providing a lot of independent advice and are the people dishing out fines. Their document “Preparing for the General Data Protection Regulation (GDPR) - 12 steps to take now” gives a good overview providing an understanding of the areas covered and what needs addressing. To help you to get the ball rolling, this blog is a short summary of those points.
Disclaimer
All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice.
1. Awareness
It is important that key people in your organisation are aware of GDPR and the direct implications to the business. Due to the significant implications to your organisation, GDPR may effect systems, procedures and resources. The sooner this is managed by your company the easier it will be to be compliant.
2. The Information that You Hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas.
3. Communicating Privacy Information
A key element to GDPR, as it was in the DPA, is transparency and providing accessible information about how you will use personal data. The most common practice is to provide a privacy notice, for which the requirement under GDPR is extended over the DPA.
4. Individual’s Rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling.
5. Subject Access Requests
You will be required to respond to requests about the data that you hold within 1 month, such as what data and why you are holding it. You are not generally allowed to charge for access requests, however there are exceptions for requesting pay or refusing in extreme circumstances. If you have automatic processing of data, such as ratings, credit checks, etc, there is a separate set of rules.
6. Lawful Basis for Processing Personal Data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
7. Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Unlike the DPA, there must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must not be a mandatory part of the provision of products or services; for times when data collection must be taken as mandatory (such as for credit checks) then alternative lawful basis must be in place.
8. Children
You should start considering putting systems in place to verify individual’s ages, as children’s personal data may require consent from a guardian for anyone under 16 ( this may be lowered to 13 in the UK).
9. Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10. Data Protection by Design and Data Protection Impact Assessments
The GDPR makes privacy by design approach an express legal requirement. In some circumstances it is mandatory to carry out a Privacy Impact Assessment (PIA), now referred to as ‘Data Protection Impact Assessments’ or DPIAs.
11. Data Protection Officers (DPO)
Organisations such as public authorities are required to appoint a DPO. However, irrespective of whether you are required to have a DPO, you are advised to designate individuals to take responsibility for the data protection compliance in your organisation.
12. International
If you process data across a number of EU member states, you are advised to follow the authority of the data protection supervisory authority in the country that you complete the most significant decisions about processing activities.
Stay Tuned for More GDPR Information
In our next GDPR blog we will be looking at providing more information on addressing the legislation from a practical point of view. We will also look at how both the Microsoft offerings and our own solutions will help with addressing those points, which will hopefully give an idea of what you need to do with your own systems. If you would like to stay up to date with our news please sign up.
What's New in Business Central
Business Central 2024 Wave 2 is here, Get the latest features in our Dynamics 365 Update “what’s new” webinar from the business central experts
Streamlined Order Fulfilment: Enhancing Efficiency with Process Control in Business Central
Whether your business is B2B or B2C, your order fulfilment process can have a dramatic impact on your brand and customer loyalty. You play a vital role in optimising the entire process to enhance customer satisfaction and streamline operations.