Changes to Data Protection Regulations that will affect your business.
General Data Protection Regulations (GDPR) are coming into effect on 25 May 2018. They are either additional or enhanced regulations around protecting the personal data your business holds on individuals (customers, suppliers, employees etc) and they encompass both documents and digital records.
The Information Commissioner’s Office (ICO), which controls how we hold and use personal data, will enforce the new regulations. Although the maximum fine under GDPR is £17m or 4% of annual turnover, the ICO has said it is not in the business of crippling firms with huge fines but it will be looking for compliance with GDPR by 25 May 2018.
The main points on GDPR are:
- Informing individuals what personal data your business holds and what it is used for.
- You need to ensure your data suppliers, who hold personal records on your behalf (such as Office 365) are GDPR compliant.
- A named person in your business needs to be responsible for complying with data protection regulations.
- You need to have systems in place to control the data and prevent breaches.
- Where a data breach has occurred, you need systems in place to manage/minimise the breach and you must notify the individual whose data has been breached within 72 hours of you becoming aware of the breach.
- Your business should only hold personal data for as long as is “reasonably” necessary. This could be only as long as is necessary to comply with contractual or legal obligations.
The above concerns data you hold but GDPR also covers marketing data.
The two main areas are:
- Emails – your customers must opt in to receiving marketing emails from your business prior to 25th May 2018.
- Websites – your website may be collecting data and behavioural patterns on visitors that you could access through tools such as Google Analytics. Business owners need to know what data their website is collecting, be transparent on how that data is collected and what that data has been used for.
This article is only intended to make you aware of GDPR and some of the main changes. For full guidance on GDPR, visit the ICO website (email address below) for a 12-step guide and ICO toolkit to GDPR compliance.