2 June 2018
Countdown To GDPR
If you own or run a business you have probably known about GDPR for some time, and will have started to prepare for it. However if you are still getting up to speed, there is still time to make sure that you are compliant before the new rules come into force on 25 May 2018. Even if your business has got ready, it is worth spending some time to check that no aspects have been missed. This is especially so given that the fines for non-compliance are potentially so harsh, and that you can be sued for damages by individuals whose personal data is misused. There is also an obvious risk of reputational damage.
GDPR (the EU General Data Protection Regulation) contains new rules for the secure collection, storage and usage of personal data. The rules will still apply in the UK after Brexit, and will replace the current Data Protection Act. Strictly, GDPR applies only to businesses and public enterprises with more than 250 employees. But even if your business is smaller than that, you can still be caught by some of the rules, and so it makes sense to be compliant.
What is ‘personal data’? It is any information that can directly or indirectly identify a natural person. It can be in any format, and includes genetic and biometric data. GDPR requires that data is processed lawfully, fairly and transparently, and is collected only for specific legitimate purposes. It must be accurate and kept up to date, and stored only as long as is necessary.
A very important aspect of GDPR concerns obtaining consent for storing personal data. The consent of the individual must be freely given, specific, informed and unambiguous, and you must be able to provide evidence of it. A request for consent must be intelligible and in clear, plain language: silence or pre-ticked boxes on an online form will no longer suffice. There is a ’right to be forgotten’, which may require you to erase all of an individual’s data.
Firms of over 250 employees must employ a Data Protection Officer. This person is responsible for ensuring that the business collects and secures personal data responsibly. But every business should review what data they hold about individuals, and where and how it is stored – that might be on laptops, servers, phones or in the cloud. Every piece of personal data held by your business needs to be identified. When you know where you’re holding personal data, you’ll then be able to monitor compliance and the processes involved in dealing with that data. A breaches of data security must be reported immediately to the Information Commissioner’s Office.
If someone – such a customer, or even a former employee – submits a Subject Access Request, would you be able to provide them with a copy of all the information you hold about them?
For more information, see the Information Commissioner’s Office guide to “12 steps to take now”