GDPR comes into force from 25th May 2018, but what does it actually mean for you and your business?
GDPR, stands for the General Data Protection Regulation and is all about protecting the privacy of an individual’s personal data. It builds on the existing regulations of the Data Protection Act (DPA). Currently a company can be fined up to £500,000 for incorrect or dangerous handling of someone’s personal data.
GDPR’s aim is to give the individual control over their data, which means it will be a lot harder for companies to store information about people, including addresses, e-mails or personal preferences. GDPR gives people the right to be forgotten and be able to request that they are removed from your system. You will need to comply with their wishes within 72 hours of receiving the request or face a fine!
We aren’t the experts on GDPR, this is only a brief overview, you can find out all the details you need here.
Here’s the basics;
- The Basics
Data must be processed lawfully, fairly and in a transparent manner and should only be collected for the specified and relevant purposes. It should also be accurate and up to date and kept for no longer than is necessary.
GDPR also demands that companies are able to demonstrate how they comply with the regulations, so be aware that you may need to put together more policies and statements and ensure that all staff are properly trained.
- The Money Bit
Failure to comply could see a business landed with a fine of up to €20,000,000 or 4% of Global Turnover of a business, whichever is the highest!
Consider the risk for each part of your business that processes personal data and the potential risks to the data of the individuals you process. It’s also worth taking into account the risk to the reputation of your company if you’re found not to be storing data correctly.
To make sure your company is compliant, you should undertake a Privacy Impact Assessment (PIA) these will help you determine what the risks are that your business faces and how you can mitigate them.
Don’t think you’ll get away with just keeping a few records and ensuring that your IT security is up to date.
- Lawful Basis
Data must be processed lawfully. In the UK, the ICO (The Information Commissioners Office) have said that GDPR Consent is not mandatory for processing data and is just one of the Lawful Basis on which your business can rely. They suggest that “Legitimate Interest” is the better option for most businesses
Our blog doesn’t constitute legal advice and only provides a brief overview, so please seek legal advice before putting any policies into place for your business.