General Data Protection Regulation (GDPR)
What is it?
The European General Data Protection Regulation (GDPR) enhances the existing Data Protection Act (DPA) currently in place. GDPR will give individuals more control of their personal data. It also creates one regulation for EU individuals.
GDPR will apply to your company if your business holds personal data – that’s information such as names, addresses, HR records, accounting records, customer data and also online data which can be linked to an individual such as IP addresses, device IDs, location data and genetic and biometric data.
When does it come into effect?
It comes into effect on 25 May 2018.
What does it mean for me?
All businesses regardless of size which hold data on EU citizens or process their personal data need to make sure they are GDPR compliant. It could also affect international businesses if they target or have customers which are EU citizens.
Note: Even though Britain will be exiting the EU, the government has stated GDPR will come into force and post Brexit, there will be UK law which will mirror GDPR.
If you do not comply with GDPR the maximum fines could be 4% of your annual turnover or €20 million, although the ICO is more likely to work with individuals to get compliant.
What do I need to do?
If you hold or process personal data then you need to ensure you have taken the necessary steps below to ensure you’re compliant.
- Audit your data – you need to show that you have reviewed the personal data within your organisation. The following will help you compile an audit and what steps you take to protect the data you hold:
- What data do you have? This could be employee data, customer data, accounting records etc..
- Where did it come from? How did you originally get the data? Was it compiled, purchased, from a client etc..
- What do you do with the data? How do you use this data within your organisation? Do you need all the data you have collated?
- Who do you share the data with? Do you share this data with other employees and any 3rd Parties if so why?
- How do you store the data? Where is the data stored, it is on hard drives or in the cloud?
- How secure is the data? Is the data protected by passwords or encrypted? How secure are the passwords?
- Review how you obtain consent to market individuals – You need to make sure that you have been given clear consent.
- Consent cannot be hidden in other policies or on websites. Customers or prospects need to actively opt into communication.
- Pre-ticked boxes are no longer allowed.
- With existing customers if you cannot show clear consent you will need to retrospectively ask for permission again.
- Special rules apply for children, you also need to get consent for any data processing.
- A business does not need consent from employees when it is for the running of the business; e.g.: PAYE, next of kin, salary, pension details etc…
- Individuals’ right – You need to be able to respond to an individual’s request.
- If someone wants to unsubscribe, you must make it easy and clear for individuals to unsubscribe at any time.
- And to delete all personal data if they request it.
- If someone wants information you must supply it within one month within an electronic commonly used format.
- Review your privacy notices – Privacy notices and contracts should be updated to give clear information about who you are, how you use customer/clients data and details of anyone you will share it with.
- Review terms and conditions and contracts – if you have suppliers who are processing data for you, then you will need to update your contracts with a number of mandatory clauses which can be found in Article 28(3) of the GDPR
- Governance – You should think about having someone who can deal with all GDPR elements, someone who is a data protection advisor (this can be an internal or external person). They can ensure you have the governance in place.
- Think about appointing a Data protection officer (if you are handling large scale monitoring or processing of information this is mandatory).
- Ensure awareness and training of GDPR is carried out across the organisation.
- Check if you need to pay the data protection fee.
- If someone requests information ensure you have processes in place on how you will you handle this within a timely manner.
- Ensure you record and learn from any breaches.
- When looking at any new systems or processes, GDPR should be factored in.
- Notification of breaches – if a data breach is likely to harm individuals you must notify the ICO within 72 hours. You should also:
- Make sure you have processes in place to investigate a data breach as you will need to tell the ICO what actions you are taking.
- A breach which only included names and addresses of people and is publicly available would probably not be a high risk/breach, however if it included account data or passwords this would be a high risk breach.
Not sure if you are compliant?
You can visit the ICO website and go through this checklist to see whether you’re already GDPR compliant or what gaps you may have.
We can help
If you need help getting GDPR compliant or have a query about GDPR and Data Protection just get in touch for a free marketing assessment.
Within GDPR you are a “controller” – if you are the company which decides “why” the personal data will be processed (the purpose of processing the data). This is likely to be your data.
You will be a “processor” – if you determine “how” the data will be processed (i.e. what systems/methods are used). This is likely to be an IT service provider or 3rd party who holds/processes someone else’s data.
Simplifying technology so you can do more
Disclaimer: BKS Consultancy is providing this information in an advisory capacity and is providing independent advice based on experience. BKS Consultancy cannot be held responsible for any decisions made based on the advice above without expert guidance.