GDPR – are you Data Protection ready / compliant?
“Let’s make it simple: Government control means uniformity, regulation, fees, inspection, and yes, compliance.” – Tom Graves
The term ‘GDPR’ (General Data Protection Regulations) has been bouncing around for months now, it is all over professional online forums and sites such as ‘Linkedin’ but how much do you really know about the GDPR? It is more likely than not, where GDPR is concerned, you will fall into one of two camps;
- You are ready for 25 May 2018 and are currently taking all the necessary and proactive steps available to you to ensure your compliance with the regulations or;
- You’ve failed to acknowledge the importance and enormity of this seismic change and shift in legislation and need to start taking active steps towards rectification.
GDPR is the biggest change in data protection since 1998 when the law surrounding data protection was first introduced.
The government has been forced to revamp the current Regulations and account for the phenomenal update in technology we have seen over the past 20 years. Every business now has data at its fingertips and in this modern age, accountability and responsibility for that data needs to be at the forefront of your business’s mind.
Download our business plan template
GDPR provides 6 core principles that businesses must comply with;
- The Lawful Processing of data
- Businesses must demonstrate a ‘Legitimate purpose’ for processing data
- The data held must be ‘Relevant and necessary’
- Accuracy of data held
There must be a lawful reason to collect the data, it must be collected for a legitimate purpose, the data must be relevant and limited to what is strictly necessary, the data must be accurate, kept securely and the businesses must be able to demonstrate compliance with the Regulations.
Although the legislation is so obviously necessary, the necessity does not negate the sizable task that lies ahead of every business. Businesses aren’t necessarily expected to know the ins and outs of GDPR, but they are expected to consult with an expert who can and will assist with your business needs in the run up to May 2018. The fines for non-compliance are considerable and there is a sizeable difference between the current fines and the penalties moving forwards. Failure to comply with the Regulations could lead to a fine of up to 4% of your annual turnover or up to 20million Euros.
One of the biggest shifts under GDPR will be that the Information Commissioners Office (‘ICO’) will be able to take proactive steps to ask Businesses to prove compliance with GDPR even if there has not been a data breach or complaint.
GDPR will impact on every business regardless of size, scope or turnover as every business holds some degree of personal data whether this data is on employees, clients, third parties or in respect of marketing databases.
Businesses who are not already preparing for the change will need expert advice on implementing new procedures predominantly dealing with Personal Data of Employees; Data of Clients and how that is distributed; Contracts and relationships with third parties and other businesses.
Third parties compliance with GDPR
A frequently asked question of late is, why does it matter to my business whether or not third parties comply with GDPR?
One big part of the change is that the buck cannot be passed. If you have a relationship with a third party, and that third party is found to be in breach of GDPR, your business (in addition to the third party) will face the significantly increased fine. It is therefore advisable to have written contracts with all third parties setting out the contractual obligation to comply with GDPR and for the organisation to set parameters within which any data processor with whom they share data complies. Businesses that aren’t already preparing for the changes need to be seeking legal advice now to avoid the inevitable adverse consequences that could follow. Ask yourself, why take the risk?
Some of the key steps Businesses need to take include:
- Understanding what types of data they store and how this is used;
- Provide appropriate Privacy Notice’s to clients, prospective clients and marketing databases;
- Amend current employment policies and provide staff with appropriate information and training on GDPR;
- Understanding and, where appropriate, amending contractual relationships with third parties and suppliers
For many years, the manner which data has been managed has been ‘hit and miss’ and fines were rare and often reserved from extreme scenarios. This will change and businesses need to take steps to ensure compliance at this stage.
The new data protection approach with GDPR is genuinely onerous on businesses owners and the risks are severe … seek professional advice and support from experts to ensure you comply with the requirements and protect your business.