Most businesses currently wouldn’t think twice about emailing someone on their database with a special offer, staff invitation or company newsletter.
But from May this year, a strict new ruling aimed at protecting the data of citizens within the European Union comes into force.
After several years of refining and debating and a two-year transitional period, the countdown to the introduction of General Data Protections Regulation (GDPR) is well and truly on.
Giles Betts, head of employment at Buckles Solicitors LLP said: “Data breach is a growing worry for a business, whether relating to employees or customers, and will be even higher on the agenda in the new GDPR era.
GDPR will replace the UK’s 1998 Data Protection Act, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.
“The aim is to harmonise data protection across all EU member states by making it simpler for everyone, including non-European companies, to comply. However, it brings greater responsibilities for data processors and penalties of up to four per cent of worldwide turnover or 20 million Euros (whichever is the higher) for non-compliance.”
The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent will be required to process any data relating to children aged 16 and under.
Who will be affected by the GDPR?
The GDPR has far-reaching implications for all citizens of the European Union and businesses operating within the EU, regardless of physical location.
If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR.
What sort of data will fall under the General Data Protections Regulation?
- Email address
- Social media posts
- Personal medical information
- IP addresses
- Bank details
What to do next:
Buckles Solicitors LLP advise following a list of practical and achievable steps to make sure you are genned up on GDPR.
- Awareness and education (particularly among senior decision makers): GDPR to form part of agenda for regular board meetings, senior management team meetings, and executive management team meetings.
- Education: identify a group of staff at senior level to introduce the change into teams/departments/sectors (focus group) and arrange monthly meetings with this group.
- Audit information: take a look at what information the business already holds, where, why and for how long.
- Review company HR policies and procedures.
- Consent: review how consent is sought, obtained and recorded and consider whether alternative consent mechanisms are required.
- Subject access requests: conduct gap analysis between current data subject requests and GDPR’s expanded rights and amended policies/procedures.
- Data breaches: review existing policy/procedure and perform a gap review analysis / task specific people or teams to investigate and evaluate potential security breaches / ensure procedures in place to detect, report and investigate personal data breach / establish clear reporting processes to report security incidents to central team.
- Data Protection Officer: it may be worth considering if this is a role that needs to be created.
- Training: develop a training programme to that everyone is aware of policies, procedures, reporting structures, awareness of obligations and the impact of failing to comply.