It is rare that a single article of legislation impacts everybody in business, however this one truly does. If your average work routines incorporate storing or using information pertaining to named individuals, such as clients, suppliers, employees, pretty much anyone, then it's essential to be aware of GDPR. Don’t worry keep reading this simple and easy GDPR guide.
What is The General Data Protection Regulation?
The GDPR, that became official on 25th May 2018, supplies a legal framework for keeping everybody’s personal data safe and secure by necessitating businesses to have resilient procedures in place for managing and storing personal information. Additionally, it was created to safeguard us as individuals from being approached by companies without our explicit permission.
Why does this matter?
The GDPR is more expansive than its forerunner, the Data Protection Act 1998 (DPA 1998), and heralded a surge of new regulations which are considerably different in specific areas, such as:
- A broader definition of ‘personal data’ covering more details than previously.
- Data processors (e.g., accountants managing your payroll records) are legally required conform with the GDPR, while they were not in the past.
- The legal requirement for particular companies to designate data protection officers, accountable for managing the GDPR requirements for record-keeping and data impact evaluations.
- A less difficult process for individuals to claim settlement from a non-compliant company.
- Organisations located outside of the European Union must abide by the rules if they provide goods or services into the European Union.
- When receiving ‘consent’ from individuals, it needs to be expressed and specific. The previous directions required the individual to request to be removed from a mailing list. Now organisations must ask for permission from the beginning.
- An obligation to report data breaches to the Information Commissioner within extremely tight timelines.
- A ‘right to be forgotten’.
- More stringent outcomes for non-compliance.
Who In Your Business Needs to Know?
This is a question of administration, therefore it ought to be on the Board's agenda. Along with operating procedures for marketing department and data handlers. Enterprises might be expected to designate data protection officers and carry out privacy impact assessments. HR, operations, sales, and marketing will need to be involved, and everybody in the organisation who uses data must certainly be aware of how to abide by the rules.
Although some sectors are more clearly impacted than others, like those in the marketing sector, consumer facing companies, businesses that trade internationally, those that maintain substantial customer databases, however the GDPR touches all businesses to some extent.
A few things to check on:
Records stored
What personal data do you currently store? Where did it come from and what is it being used for? An information audit may help determine any areas for concern.
Privacy notices
Do your privacy notices (what you use data for) satisfy GDPR requirements? These must be kept under constant review.
Legal Rights
Do your processes cover all the legal rights of an individual, such as how you action a request for information or deletion?
Data storage consent
Does your data collecting and recording consent conform to the GDPR?
Information store on children
Does any information stored on children have parental or guardian consent?
Yikes! Confusing? Worrying? What next?
Please don't panic! While the requirements are significant, making certain all your procedures pertaining to data protection are at a minimum up to date is a great start. Next, conduct a data audit. We can happily help you with this. Moving forward, you need to be planning to make sure that any new business contracts you commit to include suitable compliant data clauses, and any current contracts are revised.