If you are a business owner, you have no doubt heard of GDPR. Standing for the General Data Protection Regulation (GDPR), this law came into effect in May 2018 and is the biggest change to UK and European data protection laws in more than 20-years.
GDPR was introduced to better to reflect the huge changes that have occurred in the way businesses are able to use the data they collect. GDPR is designed to protect the personal data of individuals, such as clients and customers. The new regulations concern how such data is collected, stored and ultimately used and covers businesses of every size – from one-person operations to large multi-national organisations. With GDPR covering so much ground, the regulations can seem very daunting. To help you get a better understanding of what GDPR means to your business, we have put together the following information in an attempt to show you what you will need to do to ensure you comply.
What does GDPR cover?
Personal Data – This information includes anything related to your clients, employees, suppliers, etc. Such information includes bank details, names and contact details of these groups. GDPR now means that you can only collect such information if you have a genuine legal reason to do this, such as for contracts. You must now inform these groups why you are collecting such information and be very clear in what you will use this information for.
Right to Access – GDPR now means that an individual has the right to ask what your business is doing with their personal information. Furthermore, businesses must do this free-of-charge and respond within one-month of the request.
Right to be Forgotten – GDPR now means a person can request their information be deleted and the company must comply with this – unless there are tax reasons etc., that prevent this.
Copy of Data – A person can now request a digital copy of the information a business holds on them.
Data Breaches – If your business suffers a breach of the personal data you hold, you are now required to report this to the Information Commissioner’s Office within 72-hours of the breach when possible.
What your business can do
To help businesses, particularly smaller-sized ones that may not have the resources to employ a professional to help with such details, we have compiled the following practical tips:
1. Study! It may seem obvious, but there is a lot of information out there regarding GDPR. The more you and your employees know about GDPR, the easier it will be for you as a business to comply.
2. Review the information you hold. Each business is different in what information it holds and why. Conduct a review of the personal information your business collects, including where you get it from, why you collect it and what you do with it. Doing so will then enable you to create your legal argument as to why you need such information.
3. Have a Privacy Notice. GDPR now requires all business to have a Privacy Notice. This document is used to inform individuals of the information you are collecting about them. Your personal notice must include why you are collecting and processing this data, how long your business intends to store it and what other 3rd parties, if any, you intend to share this information with.
4. Meet your obligations. With your customers and suppliers etc., now able to request what information you are holding about them, you need to ensure your business has appropriate procedures in place so as to easily and quickly provide such information.
5. Get consent. GDPR now means that you must ask individuals if they will allow you to hold their personal information. Therefore, such requests must be made to all groups you identify as coming under GDPR, as well as record and store such requests and approvals.
6. Have a data breach plan. With so much information now stored digitally, data breaches are becoming more widespread. Whilst you are of course required to do everything you can to protect this data, if a data breach does occur, you must have procedures in place to deal with this, including how you will report and investigate such breaches. All breaches much be reported to the Information Commissioner’s Office.
7. Have a designated employee. With GDPR now so important, and the threat of large fines being given for failure to comply being very real, it is important that you have someone responsible for looking after data protection. Of course, for many small-sized businesses, employing someone for this is impractical and financially unrealistic. However, it does mean that every business owner should do their best to know as much about GDPR as they can in relation to their business and regularly monitor the situation to ensure the business remains covered.
Failure to comply with GDPR
With so much personal information now being collected by businesses, governments are taking GDPR very seriously. As such, heavy penalties have been introduced to deter businesses from ignoring the new rules and punish those that fail to comply. If your business fails to follow GDPR in terms of getting consent and processing such information, you will be liable to a large financial fine. This fine currently stands at either a maximum €20 million, or 4% of your business’ annual turnover, whichever is higher. Of course, these fines can vary in size depending on the breach, but their size should serve to warn you how serious GDPR is now being taken.
We hope the above information has helped shed some light on what is undoubtedly a complicated area. There is an enormous amount of information regarding GDPR online, especially on the Information Commissioner’s Office own website. By reading up on what you are now required to do, as well as identifying how these rules apply to your own specific business, you will be able to create a simple data protection policy that will protect both your business and your customers and suppliers.