GDPR: Is your business ready?
The introduction of the General Data Protection Regulations (“GDPRs”) on 26 May 2018 has been hailed as the biggest legal shake up to businesses since the introduction of the Health and Safety Regulations in the 70s.
The GDPRs will affect how every business handles and processes information held on individuals, ranging from clients to employees. Most importantly, it will grant individuals a number of new rights to the information held on them.
The GDPRs will apply to all businesses that that offer goods and services to individuals within the UK and EU.
Will Brexit affect the implementation of the GDPRs?
No: the government has confirmed that the GDPRs will form part of UK law following the country’s withdrawal from the European Union.
What are the consequences if my business does not comply?
A breach of the GDPRs can result in a fine of up to 20 million euros or 4% of your business’s global turnover, whichever is higher. Penalties are tiered but these figures provide an indication of the seriousness of a breach.
Compliance with the GDPRs should allow your business to process data more efficiently and avoid these hefty penalties.
What does my business need to do?
We advise all our clients to speak to us in the first instance. We will provide you with advice which is tailored to your business, taking into consideration its size and the goods/services it offers. The following key points should be considered by all businesses, however:
1. Be prepared: Remember, there is no “grace” period: the GDPRs come into force and are effective from the 25 May 2018. You should carry out a data audit now to establish what kinds of data you hold, why it is being processed, where it is held (and the form in which it is held) and how long the information will be retained for.
2. Consider consent: Consent must be informed and transparent. This means that the individual concerned must understand what exactly they are consenting to. Requests for consent should therefore be made in clear, plain language: a simple question or opt-in should be provided.
3. Lawful processing: Consent in itself is not a silver bullet. It can be misunderstood or withdrawn and so Data Processors have an ongoing duty to ensure processing is lawful. Lawful processing can be demonstrated however in certain circumstances, for instance, if necessary for performance of a contract or to comply with a legal obligation.
4. Retention of data: Review what data your business is holding on individuals, how it is being held, how it is being used and if it is necessary.
5. Data Protection Officer: A DPO is mandatory in some circumstances. This should be someone within management who has the relevant skills and experience.
6. Review Policies: Ensure that you have policies in place that will protect your business such as a Social Media Policy and a Data Protection Policy, Mandatory Breach Reporting Policy.
7. Training: All employees with access to personal data should be given regular training. Records of training provided should be retained.
What to do if you encounter a breach of the GDPRs
1. Get advice: Seek advice immediately from a Solicitor who has experience in this area of law.
2. Report: All breaches must be notified to the Regulators within 72 hours of becoming aware of the breach.
3. Inform: The data subject(s) might need to be informed about the breach. This should enable them to take steps to minimise loss.
How can Thomas Taggart & Sons assist my business?
Initially, we can provide your business with tailored advice on all areas relating to the GDPRs and Subject Access Requests. We can help you draft GDPR compliant policies, review your third-party contracts and provide bespoke training to your employees.
Thereafter we can assist your business as it responds to issues caused by the GDPRs (such as requests by individuals for information held about them, requests for information to be erased or rectified and assisting in the aftermath of a breach of the GDPRs).
Contact us today to discuss your business's needs.