With possible fines of €20 million or 4% of a company’s global annual turnover of the previous financial year for non-compliance, GDPR is a hot topic of conversation between business owners right now.
General Data Protection Regulation (GDPR) is enhancing the rules around data protection and privacy for all individuals in the European Union. All businesses, no matter how large or small, need to be compliant by 25th May 2018 and the Information Commissioner’s Office (ICO) has been issuing guidance to assist with this.
Many smaller business owners don’t believe GDPR applies to them. However, any business holding personal data will need to consider the impact of GDPR and become compliant with the legislation. There are enhanced criteria for those businesses holding sensitive personal data, such as health data or data regarding children.
If your business holds personal data then you may need to register your business with the Information Commissioner’s Office if you have not already done so. The ICO have a short online questionnaire you can use to establish if you need register on their website. Registration currently costs £35 per year but will rise from May 2018 dependent on the size and turnover of your business.
To ensure compliance with GDPR, the ICO have outlined 12 steps to follow; Awareness; Information you hold; Communicating privacy information; Individuals rights; Subject access requests; Lawful basis for holding data; Consent; Children; Data breaches; Data protection by design and data protection impact assessments; Data Protection Officers and International.
There is more information regarding these 12 steps on the ICO website if you want to find out more. It is important to ensure you follow advice from reputable sources regarding GDPR as there is a great deal of misinformation online. Unfortunately there are people taking advantage of businesses regarding GDPR, with so called ‘experts’ making money giving the wrong advice. If you use a GDPR Consultant, please check their credentials and their experience in data protection and security to ensure they are reputable.
As a business owner it is important to document your data protection guidelines for GDPR. Two of the key areas to review under GDPR are rights for individuals and IT security. Many businesses are currently updating their privacy policies, consent forms and mailing lists as well as reviewing their IT systems to ensure compliance. Many are carrying out staff training to ensure everyone is aware of their obligations under GDPR.
GDPR focuses on individuals rights, ensuring rights to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, to object and not to be subject to automated decision making. The regulations are setting a high standard for consent from individuals to businesses; their consent must be freely given, specific, informed and unambiguous with a positive opt in, separate from other terms and conditions. In addition, people must be able to easily withdraw their consent.
In terms of IT security, some important areas to review are your website security, security controls including passwords, firewalls, virus protection and secure data backups. You will need to ensure your data is secure both in the office and on the move; smartphones should be password protected, laptops encrypted and you should have the ability to wipe devices remotely.
Businesses also need to consider the GDPR compliance of organisations they transfer data to, such as Mailchimp, Google and Microsoft for example, together with those who have access to their data e.g. website provider and accountants. The onus is on businesses to ensure any organisation who deal with their data are also GDPR compliant and to document this has been checked.
If you need more advice, the Information Commissioner’s Office website has guidance for businesses at https://ico.org.uk. Please do seek professional advice if required for your business, this article is for awareness purposes only and should not be used as a compliance control.
Follow @ByJoveMedia on Facebook, Twitter and Instagram to stay up to date with all things social media and @TheDistrictPost on Facebook for all your local news and information, plus DPTV every Friday!