Remember, remember the 25 May 2018, does not quite have the same distinctive ring to it as the rhyme that marks fireworks night and the infamous gunpowder plot. Nevertheless, the 25 May 2018 should be in every business calendar and labelled with high importance since it marks the day when the new General Data Protection Regulation (GDPR) comes into force in the UK. With the GDPR aiming to give more rights and protection to EU citizens, there are stricter obligations on how businesses process data meaning it is time to get serious about data.
Power to the Individual
Individual rights have come a long way since the Jacobean period and the GDPR seeks to further them still. Whilst many rights were included in the previous Data Protection Act, the GDPR highlights and enhances the rights of individuals to access, to rectification and to erasure, to name a few examples.
With emphasis on improving the rights of data subjects, it is for businesses to ensure they are transparent and accountable in relation to their data processing. Understanding how you hold data and for what purpose is a key first step in readying your business for the GDPR.
Reviewing your current position and processes will help you understand what changes you need to make before May 2018 particularly regarding individuals’ consent to data processing.
The GDPR introduces a higher standard of consent so that any business must be sure every individual can easily understand what their data will be used for. Clear, specific and unamibguous ‘opt-in’ boxes for collecting data are now a must and if you process data in relation to children you may need to think about a mechanism of obtaining parental consent is in place.
Getting your own business on board
The GDPR will apply to personal data that is held anywhere within an organisation and will have an impact on your whole organisation, from the HR department to the marketing team. It is vital therefore, to ensure that your business understands the implications of the GDPR and your employees appreciate their role in compliance.
Knowledge of the GDPR throughout the business will be particularly useful when facing a potential breach since the GDPR obliges companies to report any breaches within 72 hours of obtaining knowledge of the breach to the relevant authority.
Appointing a Data Protection Officer, which is a requirement for certain businesses, to take responsibility for GDPR and educate others may help employees throughout the organisation avoid potential breaches and understand their part to play in GDPR compliance.
A fine of up to a whopping €20 million (or 4% of annual worldwide turnover) is on the table for any breach of the GDPR which may be reduced to up to €10 million for more minor infringements or a reprimand if appropriate. So while penalties for compliance failures may not be on the same level of punishment as Guy Fawkes, they should not be overlooked!
To put your mind at ease before May 2018 and get ahead of the game, why not give Hybrid a call and let us help you get your business ready for the GDPR.