HINTS / TIPS AND TRICKS

Businesses be warned: protect your business or face a HUGE fine in 2018

On May 25th, 2018 the biggest change in data protection legislation for two decades will go live and lots of business are not aware of, or prepared for what is coming. Businesses, charities and organisations of all shapes and sizes who capture, record and store customer data WILL BE affected by the European General Data Protection Regulation (GDPR).

Furthermore, those businesses who do not adhere to the legislation could be fined 4% of their global revenue or €20 million, whichever sum is greater.

What is the GDPR?

Implemented via the European Union (EU) the GDPR replaces the current 1995 data protection directive which underpins the current UK data protection laws. As a current member of the EU, UK businesses are impacted by the GDPR and following Brexit businesses who trade with any customers (individual or business to business) based in an EU country will continue to be subject to the GDPR.

The GDPR is designed to bring data privacy laws across the EU into line with each other and provide greater protection and rights to individuals. The current data protection legislation was put into place long before the internet was embedded into everyday life, which in turn has meant that we have simply outgrown the current policy. With technological developments such as cloud-based data sharing and companies like Facebook collating data files on their users more control is needed over how personal data is used.

Additionally, the EU wants a data protection law which applies throughout the single market.

What should you be doing right now?

Awareness

Assess who needs to be aware of this within your organisation. Who will this impact? Who will ensure that your business is compliant?

Designate Responsibility

Within your organisation establish who will lead on ensuring the implementation of the GDPR and ensure that your business remains compliant. You may need to consider appointing a Data Protection Officer.

Audit

Conduct an audit of what personal data you hold within your business, where it is collected from and who it is shared with.

Privacy Information

Review your privacy policies and notices. Plan for changes that need to be made to accommodate the GDPR.

Assess Your Systems

Under the GDPR an individual has the right to make a number of requests in relation to the data you hold on them, assess whether your current systems allow you to respond to any request made and provide the information in a commonly used format quickly? If not, make changes ahead of the legislation coming into force.

Ability to Fulfill Requests

Prepare a procedure now for collating and fulfilling a data request should the occasion arise. Who will be responsible for processing a request within your business? Where will requests be recorded?

A Lawful Basis for Processing Personal Data

Ensure that your business only collects data that it needs to provide the customer with the product or service they require and requests consent from the customer to use the data provided.

Review Your Consent Methods

You should check the consent guidelines to ensure that your method of collecting consent meet the GDPR requirements. If not, update your method of collection consent. This can no longer be an automatically ticked box option.

Age Verification

Whilst not applicable to all organisations, consider whether you need to implement a way to verify the age of individuals and (where applicable) a method of obtaining parental or guardian consent for individuals under the age of 18.

Data Breaches

Is the system you use able to notify you promptly of any data breaches? In the event of a data breach, you have 72 hours to notify the relevant authority of the breach.

Follow the ICO's Lead

Take some time to familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party (the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR) the information they provide on their website – www. ico.org.uk.

This information is for general information purposes only and does not constitute legal or professional advice. We advise that for further guidance you refer to www.ico.org.uk. Follow Morgan Branding on Facebook, Instagram and Twitter for more helpful tips.

Check out our other blog posts: