Among other things, this new law requires you to:
- Notify the Information Commissioner’s office and the person concerned in the event of a data breach within 72 hours after becoming aware of it.
- Review and/or revise your justification(s) for collecting and using data; and make it as easy to withdraw consent, as it is to give it.
- Modify your consent processes to ensure compliance with the law, to include your IT and cookie policies.
- Engage ‘fair processing’ noticed throughout in order to warn people how their data will be gathered and used.
- Conduct a root and branch audit of your data processing and conduct Private Impact Assessments where appropriate.
- Implement ‘privacy by design and default’ in relation to the way you collect and use data.
- Action and facilitate the ‘right to be forgotten’.
- Service subject access requests much quicker.
- Train your staff properly on all the key stages and most importantly to have a process in place to deal with a data breach (what steps to take when notifying the ICO and communication messages to send to Data subjects and other relevant parties etc.).
- Documenting all breaches, even if they don’t all need to be reported.
- Engage ‘fair processing’ notices throughout in order to warn people how their data will be gathered and used.
Not only will this involve most businesses in considerable advanced preparation but the price of non-compliance could be up to 2-4% of global turnover in fines, depending on how severe the data breach is and what efforts you made to comply with the law in the first place.