25 May 2018 is a date that should be in your diary – it’s when the new European General Data Protection Regulation (GDPR) comes into force.
Whilst some of the new rules don’t apply to businesses with less than 250 employees, some do, and it’s best to be prepared. GDPR does acknowledge that big multinationals and public-sector bodies should be treated differently from small businesses.
But if you routinely deal with personal data – including past and present workers, suppliers and customers then you must comply.
So, let’s take a quick look at GDPR, what it is and what you need to do.
What is it?
The General Data Protection Regulation coming into force in May 2018 aims to give citizens and residents greater control of their personal data and simplify the legal framework for international business by bringing in a law that covers all the EU. Although the UK is leaving the EU it has committed to replacing the current Data Protection Act with laws that reflect the GDPR requirements.
Many principles of the GDPR follow that of the Data Protection Act, so if you are compliant with that then you are on the right track already.
However, a key new bit about GDPR is the Accountability Requirement.
This means that you now need to show how you comply with the regulations and back it up with documentation that records your decisions in dealing with personal data.
This could mean larger businesses appointing a data protection officer, having documented training for your workers or carrying out audits of your processes.
If your organisation has fewer than 250 employees you must maintain records of activities related to ‘higher risk processing’, such as processing personal data that could result in a risk to the rights and freedoms of individual; or processing of special categories of data or criminal convictions and offences. GDPR also beefs up some of the rights that exist for individuals under the current Data Protection Act, including the stipulation that individuals can request any data you hold on them and you must supply it in a concise, accessible and transparent way – and free of charge.
It also relaxes some of the restrictions around the request to erase personal information What do I need to do?
Firstly, obviously familiarise yourself with the new regulations.
The Information Commissioners website is a good place to start and is the source for much of the information in this blog.
Follow their 12 steps to prepare for GDPR document.
Secondly, we think the biggest risks for small businesses are knowing where your data is held and who is responsible for it.
Remember GDPR applies to data you hold on your past and present staff, your suppliers as well as your customers.
So, you need to find all the data you hold from the various systems and devices your business use.
A complicated and time-consuming challenge if your infrastructure is made up of many systems and packages.
We can help you with this as part of a managed service.
Once you know where your data is then we can support you to put in the governance and monitoring so that you comply and stay compliant.
Don’t bury your head in the sand. GDPR arrives next spring and will be here to stay.
But with effective planning and support where needed, you can prepare with confidence and face the new data protection environment with confidence.
Please get in touch today for your no obligation GDPR Consultation on 0333 577 1555.