GDPR A complex puzzle made simple...but are you ready?

April 13, 2018

The General Data Protection Regulation (GDPR) becomes law next month, requiring businesses to be more accountable when handling personal information. We unravel its mysteries – and outline what you can do now

 

 

When GDPR comes into effect on 25 May, it will change the way companies can collect, store and use personal information.
 

 Building on the existing Data Protection Act 1998, it aims to give people more control over the data organisations hold about them.
 

It’s being launched  because many companies were using personal data however they wanted. For example, some sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to protect data against hackers.
 

GDPR now gives back control of personal data to the people who own it and requires organisations to make data protection key to how they do things.
 

It’s likely to affect big organisations first, but small businesses aren’t exempt, so it’s important to know your responsibilities and ensure you’re compliant when it comes into force.

 

What is ‘personal data’?

This includes customers, employees, suppliers and any other individual you collect personal data from. It includes names, contacts, medical information or credit card details, plus digital data like website cookies and IP addresses.

 

How you collect data

You can only collect personal data if you have a legal reason to do so. So you might need it for a sales contract or a customer may ask you to send them information on a product or service. You must make it clear what the data will be used for and only use it for that purpose.

 

Consent

You don’t always need formal consent if there’s another legal way of gathering, retaining and processing information. But while getting someone’s consent might sound like the simplest way to stay compliant, there are so many conditions to achieving it you could
still be in breach, even though you think you have permission. So it’s always best to seek advice before you start.

 

Contracts and terms and conditions

These need to be clear and easy to understand, with no complex legal text.

 

Right to know

When individuals ask a business what information is being held about them,  organisations must now respond within one month and can’t charge a fee.

 

Right to erasure

Customers can ask a company to delete all stored personal data about them, unless the company needs to keep it
for legal reasons, e.g. tax.

 

Data portability

Individuals can request a digital copy of their data to use however they wish, e.g. switching to a new service provider.

 

Data security – and breaches

Any data held must be securely stored – including hard records. Most breaches must be reported within 72 hours to the relevant supervisory authority, with individual data subjects also informed.

 

Penalties

If you don’t keep personal data secure or use it for different reasons to what it was collected for, you can be hit with severe financial penalties. ‘Lesser’ incidents carry a maximum fine of £10 million or 2 per cent of an organisation’s global turnover, whichever is greater; with serious breaches resulting in fines of up to £20 million or 4 per cent of turnover.

 

GDPR and Brexit

The UK government will incorporate GDPR into UK law before Brexit, so leaving the EU won’t make any difference to your obligation to comply.

 

In conclusion...

There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – which means treating it as you would something valuable of your own.

 

If you have a GDPR query. Email Nicola Jengaenga on nicola.jengaenga@select.org.uk or call her on 0131 445 9225. The Information Commissioner’s Office – ico.org.uk – and the Federation of Small Businesses – www.fsb.org.uk – can also offer advice.

 

 

 

GDPR CHECKLIST

 

Products and services

  • Check which products or services collect and process personal data

  • Ensure you have a legal basis for the processing of personal data

  • Ensure you can comply with the obligations to your customers as set out in the GDPR, such as the right of access and the right of erasure

 

Notices and contracts

  • Update your internal and external notices for GDPR compliance

  • Ensure your customer contracts are all GDPR compliant

 

Responsibility

  • Make someone in your organisation responsible for all data protection and privacy issues

  • Consider whether you need to appoint a Data Protection Officer – check out the ICO’s guidance for more info

  • Give data protection training to staff
     

Security

  • Ensure systems that collect, process and store personal data are secure



Please reload

Featured Posts

Lockdown in numbers

August 13, 2020

1/10
Please reload

Recent Posts

August 13, 2020

August 13, 2020

August 13, 2020

August 13, 2020

June 1, 2020

Please reload

© 2016 by CABLEtalk Magazine

 CABLEtalk magazine, Studio 2001, Mile End Mill, 12 Seedhill Road Paisley PA1 1JS