What is it?
The General Data Protection Regulations.
It’s new legislation to replace the Data Protection Act, coming into effect in May 2018. The GDPR is an EU law affecting every company based in the EU and, importantly, any company that trades with the EU, wherever they are based. The UK will still be in the EU in May next year, and we will want to continue to trade with the EU, so it’s likely we will keep the GDPR post-Brexit.
Who does it affect?
Almost everyone, to some extent.
If you employ people, your HR and payroll data will be subject to the GDPR.
If you have clients or do any marketing, your client data is covered.
If you book hotels and keep track of disabled access requirements, or you store food allergy information of your guests, that’s covered.
If you keep a list of what wine your top client drinks, or where they like to go on holiday, that’s covered.
Do you run a festival and use location-based data? You don’t store their names so it doesn’t count, right? Wrong, that seemingly anonymous data is covered as well.
If you record and store any information, about any identifiable person, even if you don’t store their name, the data is covered by the GDPR.
People will get the right to make a ‘Subject Access Request’, to see all the data you hold on them, and you will not be able to charge for it. They will have the right to request that inaccurate information is corrected, and they will get the right to request to be ‘forgotten’, i.e. to ask you to delete all the information you hold on them.
Basically, you need ‘clear consent’ from anyone who’s data you are going to store or process, you can only use it for the specific purpose you collected it for, you can only use it for a reasonable time, and you can only use it until they ask you not to.
The potential penalties are enormous, fines up to twenty million euros, plus damages, plus bad press and loss of reputation if you get caught out.
What you should do…
Take this seriously. It’s real, and it will affect you in some way.
Have a look at the data you have, where it is stored, and who actually needs it. Check your payroll, HR team, marketing team, accounts, operations, everyone who might store data within your organisation.
Delete anything you don’t need to keep. It sounds obvious, but the GDPR can’t apply to data you don’t have.
Minimise access. Restrict data to those who need it. For example, payroll don’t need to see why someone was off sick, they just need to know how many days to pay each person. Don’t duplicate data, filter it from a central source.
Make sure your data is secure. Don’t email unencrypted data files. Remind your team of the importance of passwords. Check that all your IT hardware has the latest security updates and virus protection.
For marketing, you can hold and process data with consent, but it must be an active opt-in, and the right to opt-out and to be ‘forgotten’ must be clear. Go through your mailing lists and make sure you have these consents and notifications in place.
Make sure your documents are up to date. Include your standard terms and conditions, employment contracts, opt-ins for web or location based data, data protection and privacy policies etc. There are various resources to help you with this – the PSA, the IOD, the FSB and other professional bodies can all provide templates that comply with recent legislation.
Think about data retention and deletion. How will you respond if you receive a Subject Access Request? Where will you have to look to gather all the information you hold on an individual? If someone asks to be forgotten, you need to be able to delete all their data, from all your systems, including backups.
Check your suppliers are compliant. Do you outsource your payroll, do you use an online service to manage your mailing lists, do you have a company that supports you with marketing? If you do, they are using your data, so they are your responsibility.
Train your team. Make sure they know about the GDPR and how it affects them.
Need more information?
There are various webinars and awareness campaigns being run at the moment as well – most banks and insurance companies will have information they can share with you.
If you’d like any support from us, please contact us and we’ll help you comply with the new regulations.