Is your business up to date with the EU’s unified framework of personal-data protection?
The General Data Protection Regulation (GDPR) was introduced by the European Union (EU) to provide a unified framework of personal data protection. It came into effect in May 2018 and impacts businesses, charities and individuals.
Now GDPR’s in place, these six key questions will help you understand how GDPR affects your business and if you’re meeting its requirements. Please note that not all businesses are the same and this guide shouldn’t replace professional advice.
GDPR strengthens an individual’s rights over their personal data, including
Personal data relates to an identified or identifiable individual, rather than data referring to a company. Names and addresses can be considered personal data. Also, data that refers to a person, eg ID numbers and attributes such as gender, economic and social status are also considered personal data.
GDPR covers all information recorded electronically, and most recorded physically, that can relate to or identify any individual from the EU. This means that any business or charity wishing to interact with anyone from the EU must comply, even if based elsewhere. UK businesses and charities have to adhere, regardless of the ongoing negotiations around Brexit.
The ‘right to remedy’ means that individuals have new and enhanced rights and, in some cases, the right to compensation. There are also significant fines of up to 4% of revenue or €20m for any organisations found to be non-compliant.
Alongside a potential fine, failure to comply with GDPR runs the risk of damaging your business reputation, as well as relationships with suppliers and partners. Getting on top of this regulation and ensuring your business is compliant should be a priority.
There are steps you can start to take to make sure you’re not caught out. A good starting point is to make checklists of the personal data you hold, its source, and how you use it. You can then review your existing processes and develop new processes, if needed, to comply with the regulation. Put simply, you must comply with the regulation when you’re using any personal data within your business.
Work out what data you hold on your customers
Most businesses across the UK, regardless of size or nature, will hold data on their customers. This could be as simple as email addresses and phone numbers, or more sophisticated data storage such as tracking customers’ online habits when visiting your website, or saved card details.
Lawful Processing of personal data
You should consider the reasons why you are capturing and processing personal data. Note that there are multiple legal bases for processing data which you may be able to rely upon. If you need to rely on consent to process personal data (perhaps for some forms of marketing), you need to ensure that consent is freely given before the data is processed, unambiguous and can be withdrawn at any time.
Allowing customers access to their data
If a customer wants to access the data you hold for them, you must have a process to provide access within 1 calendar month. If they wish to withdraw their consent and delete the data you should be able to satisfy those requests.
Employee data
The regulation also includes your employee data, which you need consent to acquire and protect. These aren’t the only actions you have to take, however.
The Information Commissioner’s Office (ICO) has put together 12 key actions
All businesses are subject to the same principles, and the steps and sources of information here are by no means exhaustive and shouldn’t replace professional advice. For more help, we recommend speaking to a professional adviser or your accountant.
You might not need to – it depends on the type of data and scale of collection and processing you’re carrying out for your business. You can check whether you need to appoint one on the EU Commission website.
GDPR and the Data Protection Act 2018 have replaced the Data Protection Act 1998.