Companies will be required to keep a tighter watch on the data they collect, maintain and share.

 
 

GDPR: Don't get caught out

General Data Protection Regulation (GDPR) will come into effect from 25th May 2018, bringing a number of important alterations to how data may be stored and shared. So if you issue newsletters, hold customer databases or manage employee payroll, for example, it will affect you.

Replacing the Data Protection Act, GDPR will demand more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals. As a result, companies will be required to keep a tighter watch on the data they collect, maintain and share.

Why should businesses care?
Applied to all businesses that offer goods and services to data subjects in the EU or monitor behaviour of data subjects in the EU, regardless of their industry or location of the business, GDPR will demand more in terms of ‘accountability’. The existing rights of individuals and their personal data will be enhanced, with substantial penalties for non-compliance, including fines of up to 4% of annual worldwide turnover or €20m for the worst violations.
 
One of the most important aspects of the legislation is a requirement of businesses to prove they have obtained consent to hold information on their employees, clients or consumers and that they have ‘opted in' to allow the data to be kept.
 
Under GDPR, it will be tougher to ensure that effective consent has been obtained. The all too heavily relied upon ‘pre-ticked boxes’ will become a thing of the past and instead consent must be demonstrable. Those whose data has been collected must have clearly and freely agreed to it on an informed basis, and are able to withdraw consent whenever they want for their data to then be erased.
 
Are you prepared?
An essential factor in achieving compliance with the GDPR is ensuring that you understand what personal data your organisation holds, where it comes from, what you do with it, who you share it with, how and where it is stored and for how long, and where in the world it goes. You’ll also need to consider where your main risk areas are, such as having inadequate privacy notices, no clear legal basis for processing personal data, inadequate security or frequent transfers of personal data outside the European Economic Area (EEA).
 
Finally, a robust action plan, built to deal with the aftermath of any data breach, should also be put into place. It will involve telling customers what has happened and reporting the incident to the Information Commissioner's Office (ICO) within 72 hours, in order to comply with the new legislation.
 
If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR. However, to make extra sure your business practices are watertight a ‘gap analysis’ is a good starting place to show where new processes and/or personnel may be needed.
 
May 25th 2018 might feel like a long way away, but by acting now to get you and your business acquainted with the full outline of GDPR, and exactly what is required of every organisation, big and small, you’ll have more chance of being compliant when the time does come. 

Two of our clients can provide assistance: Dynamic Networks Group and JM Glendinning can help organisations understand and protect themselves ahead of the legislation.
 
For more information visit https://ico.org.uk/for-organisations/data-protection-reform/
 
 
 
 
    
 
The Partners Group

Comments

Blog post currently doesn't have any comments.
Leave comment