The General Data Protection Regulation (GDPR) comes into effect from 25 May 2018, and is a data protection regulation that your business needs to be thoroughly prepared for. Your data handling procedures may need to change. It affects every company in the world that processes personal data about people in the EU. The UK government will be replicating GDPR into UK law prior to Brexit, so if you’re a UK company, Brexit will not impact your obligation to comply.
What do you need to consider?
Although GDPR may seem daunting at first, it is a positive step forward for data protection. Some of the key areas GDPR covers that you will need to consider are:
- Personal data about EU-based people – This includes your customers, employees, suppliers and any other individual you collect personal data from. Personal data includes names, contacts, medical inform-ation, credit card or bank account details and more.
- How you collect personal data – You can only collect personal data if you have a legal reason to do so. You might need it for a sales contract, for example. Or your customer may have asked you to send them some information on your product or service. In all cases, you must make it clear what the personal data will be used for – and only use it for that purpose.
- User contracts and terms and conditions (on websites, for example) – These need to be simple, clear and easy to understand with no complicated legal text.
- The right to know – Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
- The right to be forgotten – Customers can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
- Data portability – Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.
- Data breach – You’re obliged to report certain types of data breach to the relevant supervisory authority.
What can you do to prepare?
There is a lot of guidance and help out there, which you need to devote the time and resources to prepare. The UK Information Commissioners Office (ICO) has published useful resources on its website such as its Data Protection Self Assessment Checklists, which will help assess your compliance with data protection law and once completed will create a report suggesting practical actions to improve your compliance. The checklists are on GDPR for controllers and processors of information, Information security, Direct marketing, Records management, Data sharing and subject access and CCTV.
Summary of GDPR for your business
There are many aspects to GDPR, it is important to be clear and ethical with the personal data you process. You need to ensure you assign responsibility to someone within your organisation to manage data protection and privacy and ensure training for staff. The 25 May will be here before we know it, so don’t hesitate to discuss with your legal advisors to ensure you are compliant.
Allchurch & Co. Chartered Accountants.