I have been asked now by many of my clients as to what GDPR is and so I thought it might be helpful to write the following blog post on GDPR and what it means for businesses.
GDPR is an acronym for ‘General Data Protection Regulation’ and is an overhaul of the legal requirements for anyone handling the personal data of EU citizens. In this overview, I will highlight the key themes to help business owners understand the new legal framework in the EU, which will be in effect from the 25th May 2018.
So what information does GDPR apply to? In short it applies to personal data such as HR records, customer lists, contact details etc. and will apply to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. Sensitive personal data is also included where information can be processed to uniquely identify a person.
Many UK companies hoping that Brexit means the GDPR won’t apply to them will be disappointed. The UK will still be in the EU when the new law comes into force and when we do leave, it is likely that the UK Government will adopt the same or similar legislation. Breaching the law could subject a company to significant fines of up to €20 million, or 4% of an organisations’ global annual turnover, whichever is higher.
So how will the new law affect small businesses? I will run over the key points of what you must prepare for here:
Appoint a Data Protection Officer –
This officer will have to be skilled and have an expert level of knowledge of your company’s responsibilities regarding GDPR. As part of the data collection process, your business will have an obligation to make individuals aware of their rights under GDPR. This may mean that many of your privacy policies and Terms and Conditions will need to be updated.
Be aware of the strict laws regarding data breaches.
Businesses will have to comply with the new laws around reporting the loss of any personal data under their control. Any such loss must be reported to the national data protection authority, which in the UK is the ‘ICO’ within a maximum of 72 hours, and preferably within 24 hours. Your employees must have a thorough understanding of what data within your organisation counts as ‘personal’, where it’s kept, who has access to it, and how to spot breaches when they occur, as well as whom it must be reported to.
Be aware of the changes that have been made around ‘consent’.
Explicit consent must now be given for any personal data to be used. This will mean any information collected before this consent was given will not be permitted to be used under the new law. Retrospective consent will need to be gained before this information can be legally used.
If any of these changes will effect your business, my advice would be to start making your preparations sooner rather than later! Having a compliant data protection system can only foster trust in the long term and will save your company headaches and possibly a hefty fine in the future.