You may or may not have heard about the GDPR in the news, online, or on social media. If you don’t know about it, it’s about time you get up to speed.
In 7 months time one of the biggest pieces of privacy legislation in over 20 years will come into effect across the EU. The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018 and aims to give consumers more power when it comes to controlling the use of their personal data. The new legislation aims to ‘harmonise’ a variety of current EU laws into one overarching law that covers the whole of the EU. And yes, the UK is still expected to comply despite our Brexit transition.
Any country in the world handling data on any EU citizen has to comply, and the UK plans to adopt GDPR, with some additions, into UK Law under the UK Data Protection Bill which is currently being debated in the House of Lords.
All firms that manage customer data will be affected – so in this day and age pretty much every organisation, big AND small. Some smaller firms will have a tougher time with compliance due to a lack of in-house IT and legal capabilities, so it’s important they pay extra attention. According to law firm Collyer Bristow, 55% of small businesses are still unfamiliar with the legislation. The more unsettling fact is that if these firms were hit with the maximum fine for non-compliance, 18% would be insolvent.
With this in mind, here are some key points to be aware of:
• Consumers will have the right to request a legible copy of all information a company holds on them.
• Consumers will have the right to request that a business deletes all of the data it holds on them, also known as the ‘Right to be Forgotten’ however this is subject to any legal obligation to hold that data.
• Businesses will require clear consumer ‘consent’ in every case when gathering their data, and additional consent for third parties including marketing, maintenance and support. It’s no longer a ‘one tick box for all’ situation.
• Cyber security will need to be integrated at the design stage, rather than an afterthought. Organisations will need to provide proof that this has been implemented.
• All businesses will be required to give notification of a cyber breach. Regulators also require all companies to put a solid procedure in place to show how a breach will be dealt with.
To help, the ICO has put together a handy guide on 12 steps all businesses should take now. You can view it here.
We cannot stress enough how important it is to understand what is required and to prepare. As they say, ‘failing to prepare is preparing to fail’.
If you would like any further information or advice feel free to contact us.