GDPR Proof of understanding S04

The General Data Protection Regulation (GDPR) is a European law that governs how organisations handle people’s information, and it applies to all businesses that handle the data of European citizens. It sets out the requirements organisations must comply with whenever they use information about people, and the rights those people have in relation to their information.
The GDPR builds on our current laws around data protection, strengthens them and adds to them. What this means is that we need to keep doing what we’re doing to protect people’s data, but in some areas we’ll need to do more.
Here’s an overview of some of the key changes under the GDPR and how we’re preparing for them:
Accountability – The GDPR introduces a new principle of accountability. This requires Sky to be able to demonstrate how we’re complying with the GDPR, which means we must keep detailed records showing what personal data we hold, where it came from, what we do with it and with whom we share it.
Privacy Notices – The GDPR requires Sky to provide more information to people whenever we’re collecting their data, so we’re revising our privacy notices to make sure we’ve explained everything we need to. This helps make our data processing fair and transparent.
Consent – It’ll be more difficult to rely on people’s consent to process their data under the GDPR. It also needs to be as easy for people to withdraw their consent as it is to give it. At Sky, we rely on consent for processing customer data for direct marketing, so we’re updating our processes for obtaining and recording consent to take into account the changes in the GDPR.
Individuals’ Rights – The GDPR is designed to strengthen the control people have over their data, so existing rights to access, correct, object to processing and prevent direct marketing have been maintained and enhanced. A new right of data portability has also been introduced. At Sky, we’re making changes and improvements to our systems and processes to make sure we can comply when individuals such as customers and employees exercise these rights.
Breach Notifications – The GDPR requires Sky as a data controller to notify their Data Protection Regulator about a data breach within 72 hours; we may also need to notify any affected individuals. Sky already has breach notification obligations under current laws, with 24 hour deadline, so this just means that there’ll be additional data breaches we’ll need to report under the GDPR.
Fines – The GDPR will allow Regulators to issue fines for data breaches of up to 4% of an organisation’s annual global turnover. This could mean that a data breach might cost Sky hundreds of millions of pounds. It’s essential that everyone at Sky thinks about data protection in everything they do to prevent data breaches happening.
Privacy by Design – The GDPR requires Sky to embed Privacy by Design and Privacy by Default into all our processes, products, services and operations. This means we’re always considering data protection, at every stage. At Sky, we’ll have a programme of Privacy Impact Assessments designed to ensure the right level of data protection is designed into all our activity.
At Sky, we’ve always considered data protection to be important, so we’re already doing a lot of what’s required under the GDPR. An extensive GDPR programme, running across all of Sky, is already well under way to make sure we comply with the new requirements by May.
To find out more about what GDPR activity is happening in your area, speak with your local Data Protection Co-Ordinator.