It’s the topic of conversation among business owners that makes majority of people squirm when they hear it - but it’s actually a good thing!
The EU's General Data Protection Regulation (GDPR) is the result of four years' work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
What do the new regulations mean?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you're complying properly with the current law, most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you'll have to do some things for the first time and some things differently.
There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a great reason for companies to ensure compliance!
What do I need to do to protect my business and ensure I’m compliant?
- Document what personal data you hold, where it came from and who you share it with.
- Review your current privacy notices and cookie policies and put a plan in place for making any necessary changes in time for GDPR implementation.
- Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Update your procedures and plan how you will handle subject access requests to take account of the new rules.
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
The above list details only some of the new regulations set out by Information Commissioner’s Office (ICO) that require GDPR compliance by 25 May 2018. Here at CC Professional, we’re invested in ensuring GDPR compliance for our clients and suppliers, so we're working on this ourselves as I write this.
However, we appreciate the fact that it's a complex and timely process and would therefore recommend that any business owner requiring further training and support on the GDPR should: