You may already be aware that Data Protection Act is being replaced on 25th May 2018 by the General Data Protection Regulations (GDPR), but do you know what effect the stricter rules will have on your business? The changes significantly increase the responsibility of people and businesses which use and store peoples’ data, including any contact information.
Whatever the size of your business, now is a good time to start the conversation. Below are small steps to begin taking to ensure you are ready for 2018.
What are the GDPR?
The GDPR will apply to all EU member states (including the UK at present). New rules will replace current EU legislation on the processing and handling of data, including the Data Protection Act 1998. This change is about harmonising and strengthening the data rights of EU individuals.
How will the changes affect you and your business?
The changes are likely to be significant, particularly if you have more than 250 employees. Potential fines for non-compliance could also be significant. Now those two scary facts are out of the way, fortunately you can start making small changes now so you are well prepared for May 2018.
5 key changes:
- Stricter rules on consent
DPA now: the default an assumption was that someone has agreed to receive information from you (unless they have stated otherwise such as by ticking an ‘opt out’ box).
GDPR 25th May 2018: the default will be that people have not agreed to receive information unless they have taken positive action to ‘opt in’ to communications. Consent must be given, the meaning of what is agreed must be clear and people must have the ability to freely withdraw their consent.
- Enhanced rights for individuals – covering data erasure, correction of inaccurate data, and the right to request notification of data breaches.
- Businesses held more accountable – which means complying with new measures and also demonstrating how your business complies. This covers conducting privacy impact assessments and in some cases, appointing a dedicated Data Protection Officer.
- Data breach notifications – breaches of the GDPR will need to be communicated to the ICO (the Information Commissioners Office is the UK’s independent authority which upholds information rights) within 72 hours.
- Significant fines – businesses which fail to comply can be fined 2-4% of their global turnover or between €10 – 20M, whichever is greater.
5 key questions businesses should be asking now:
- Where do we currently store personal data, and is it secure?
- Who has control of personal data at present?
- How do we obtain consent at the moment?
- What are the current IT systems and processes relating to the data we hold?
- Is the data we hold shared with any external contacts, and is it transferred across borders or outside the European Economic Area (EEA)?
The ICO has issued guidance for organisations on preparing for the new regulations and what actions to take.
If you have any questions about the GDPR and your legal requirements, please email our team: [email protected]