What businesses need to know about new GDPR
The General Data Protection Regulation (GDPR) is set to come into force from May 2018.
It will replace the current Data Protection Act and is the biggest overhaul of data protection legislation for over 25 years. GDPR will change the way organisations process personal data and regardless of what happens during the Brexit negotiations, it has been made clear that businesses will have to comply with the new rules – this means it is likely we will adopt most if not all of GDPR as domestic legislation.
Businesses must ensure they are up to date with the new legislation to make sure they are fulfilling their legal responsibilities. In this article, we take a look at some of the things you can do to make sure you are prepared.
Technology has moved on since 1998 when the current Data Protection Act was enacted, and whilst the definition of Personal Data is generally the same as in that Act, there are changes to add matters such as online identities and location data. The general concept remains the same though, Personal Data is any information which identifies an individual.
Furthermore, if you plan on selling any of the data on to third-party organisations, you must get explicit consent. In order for the consent to be valid, it will need to be freely given, informed, specific and an unambiguous indication through a statement or clear affirmative action, i.e. ticking a box.
Opt ins and opt outs
With GDPR, it is essential that a business complies with a set of lawful conditions to process data for direct marketing purposes.
It should be noted that organisations do not need consent for all forms of marketing, businesses are allowed to make contact for direct marketing purposes via calls to numbers that are registered with the telephone preference service or by post. As long as the organisation can satisfy the legitimate interest condition.
While giving people the opportunity to opt out is acceptable, it will not mean a business has consent, that will rely on legitimate interest only. Businesses must ensure that they get this right.
People can request the removal of data under GDPR, dubbed the “right to be forgotten”. This could be for a number of reasons, such as the individual no longer wants the business to have the information or if it’s no longer to be used for the purpose for which it was initially collected. The data must be kept up to date and accurate, so businesses should consider how they are keeping data to ensure it is not held for longer than is necessary.
One of the key points to GDPR is giving people the opportunity to see what data that business has about them. Individuals are able to make information requests to view the data and what the business intends on doing with it.
The fines for organisations that are subject to a data breach have been increased by the Information Commissioners Office (ICO), as well as new duty for organisations to report data breaches should they occur. Businesses must ensure they have the correct procedures in place to detect, report and investigate a data breach. When a breach does occur, it must be notified to the ICO within 72 of the organisation becoming aware of it. It is worth staying up to date with information from the ICO to keep on top of developments.
- Review the requirements as they apply to your organisation. Carry out a gap analysis to identify where the business falls short of the requirements.
- Consider appointing a director or staff member to be responsible for compliance with the new regulations.
- Regulation and compliance will almost certainly involve additional costs. Budget appropriately for these.
- Develop policies and systems to collect, process and protect personal data and to identify and report potential breaches.
- Train staff to make sure that they are aware of the requirements of the regulations as they apply to their everyday tasks.
- Review arrangements with third party data processors (e.g. payroll providers and HR providers) to ensure that they remain compliant also.
If anything in this article is of interest to you, or concerns you in any way, please get in touch with our advisors here.
Paul Wormald is a partner at Hawsons, working in the Doncaster office. He worked previously with two national firms of Chartered Accountants prior to joining Hawsons in 2001. For more information or advice on anything covered in this article, please contact Paul on [email protected] or 01302 367 262.[/author_info]