Advice from David Sweet, our Technical Director
We are getting asked a lot of questions about the GDPR. Not familiar with it? You are not alone. A lot of businesses are still in the dark about the General Data Protection Regulation, which becomes enforceable from 25 May 2018.
Although it sounds like you have plenty of time, the reality is that action is needed now to meet that deadline.
Even many of those who are aware of the new law are unsure of how to go about preparing for it or remain confused about what is required of them. Some of the biggest businesses in the UK are even starting to put aside a percentage of turnover in preparation for fines that they now see as inevitable!
What is the GDPR?
Let’s start at the beginning, the GDPR is the ‘biggest change in data protection in a generation’. Like the Data Protection Act, it is legislation concerned with personal data – that is ‘any information relating to an identified or identifiable person’. However the scope for GDPR is much, much wider than the Data Protection Act.
And it is designed to make senior management sit up and listen with fines of 4% of your annual worldwide turnover or 20 million Euro if you don’t comply.
The GDPR is a potential minefield for businesses so let’s break it down…
Key points you need to know about right now:
Be prepared to provide documentation to prove your compliance. This is likely to involve an evaluation of your data processing policies and procedures as well as improved record maintenance and management.
Under GDPR, you could be asked to provide documentation relating to how you obtained data, why you hold it and how you use it, for example.
Consent and privacy information
Review all personal data held to check it is compliant with the new regulation. Unfortunately, in most cases, it won’t be, so start processes now to ensure compliance by the deadline.
In order to gain consent under GDPR, it must be ‘freely given, specific, informed and unambiguous’. In other words, the days of the pre-ticked consent box are over and you cannot use someone’s personal data unless they have actively consented to it being used in exactly the way you have told them it will be.
Ensure you have a proactive approach and policy to preventing and reporting any data breaches and that staff are trained in how to respond.
You will have just 72 hours to report the discovery of a security breach so everyone needs to know how to identify one and what to do if it happens to avoid a fine.
Subject access requests
You’ll need tight policies and procedures in place to deal with new rights to request personal data.
GDPR gives you one month to respond to requests from individuals including requests to have their data deleted or amended, requests to have access to all information you hold on them and details of how and when it is being used.
Data Protection Officer
Your business may need an appointed DPO to take responsibility for your compliance.
The GDPR is far-reaching. Certainly too far-reaching to tackle in one blog! It is clear that there is a lot of work to be done before May 2018 to become compliant but don’t become overwhelmed. Help is at hand and it is achievable before the deadline.
Email us for a free PDF guide on Preparing for the GDPR for a more detailed look at the challenge facing businesses and our advice on how to stay ahead of the game and become compliant – firstname.lastname@example.org.
We are proud to be accredited to deliver the government’s new Cyber Essentials and Cyber Essentials Plus accreditation scheme, which covers cyber security requirements raised by GDPR.
Contact us now for more details on how we can help your business prepare for the GDPR – 0117 962 63 64 or email@example.com.