Due to take effect on 25 May 2018, the new General Data Protection Regulation (GDPR) is quite literally just around the corner – and fines for non-compliance are frighteningly high, which is why businesses need to act quickly.
From the end of next month, all businesses will have to meet the requirements of the GDPR, which will effectively replace the outstanding Data Protection Act 1998.
The new legislation poses a number of challenges to businesses in relation to the ways in which they collect, store and handle any personal data they hold – which will need to be closely reviewed.
The new rules apply to all data, regardless of whether that data belongs to clients, consumers, employees, suppliers or vendors, which means that an overhaul of existing processes will be no easy task.
Nevertheless, all businesses must be able to demonstrate how they meet the GDPR’s new ‘Six Principles when using personal data – which must be
- Processed lawfully, fairly and in a transparent manner;
- Collected for a specific, explicit and legitimate purpose;
- Adequate, relevant and limited to what is necessary;
- Accurate and kept up to date;
- Kept for no longer necessary; and
- Kept secure.
Compliance is of vital importance as, from 25 May, the Information Commissioner’s Office (ICO) will have the power to issue fines of up to four per cent of global turnover, or €20 million, whichever is higher, for non-compliant businesses that suffer serious data breaches.
Due to this, it is important to seek specialist advice to ensure your business is ready today.
What must I do before 25 May?
Ahead of the GDPR’s introduction, it is important to review and record what data you hold, how you obtained it and what you use it for. On top of this, you will need to check how secure the data is, who has access to it and whether it has ever been transferred outside of your business.
Furthermore, you need to ensure that any data complies with the Six Principles listed above – and also be aware of the eight rights granted to individuals under the new legislation, so that you are prepared in the event an individual chooses to exercise these rights.
As a minimum, you need to contact clients and customers to tell them that you hold their data. These individuals should also be given access to a privacy notice.
The rules governing the GDPR are complex and confusing – and falling foul of these rules can have drastic consequences. Due to this, all businesses should seek specialist legal advice ahead of time.
For tailored advice on what your business needs to do in order to be GDPR-compliant, please contact Kate Boguslawska or telephone: 020 7406 1018.