Impact of GDPR
You may be aware that General Data Protection Regulation (“GDPR”) will become effective from 25 May 2018 and the Government have confirmed that it will come into effect for organisations in the UK on this date regardless of Brexit.
Under GDPR, organisations have additional obligations in handling the personal information of individuals compared to the Data Protection Act 1998. In order to comply with GDPR, all organisations regardless of size must implement appropriate technical and organisational measures.
The first step in becoming compliant is to conduct an audit of the personal data you hold within your business to understand what data you collect, why you collect it, whether is it classified as ‘sensitive data’, how it is stored, whether it is really required and how it is deleted. This will allow you to identify any risks or gaps in current processes.
There are also increased rights for the individuals whose personal information you hold – they may be able to ask for their information to be deleted or object to how you use their data.
Appropriate privacy notices will need to be made available to individuals for whom you hold personal data and you will also need to review your contracts with third parties to ensure they are GDPR compliant.
More information is available on the leaflet attached.
Data breaches
Under GDPR, organisations are required to report certain types of personal data breaches to the Information Commissioner’s Office (“ICO”) within 72 hours of becoming aware of the breach. Some organisations may think that they are not at risk of a data breach, however, breaches can be as a result of IT systems being hacked, or, they can be as simple as the loss of a phone with messages/emails detailing staff information, or, an email with a payslip being sent to the wrong email address. It is important that you have adequate documented security processes in place to reduce the risk of a breach and processes to help you deal with a breach within the 72 hour timescale.
Fines
The fine for a personal data breach is up to 4% of the annual worldwide turnover to a maximum of €20million.
Next Steps
Organisations need to understand what GDPR means for their business and start to put processes in place. The attached leaflet provides further information on the areas that you may need to think about when getting ready for GDPR.
If you would like any assistance with how to get ready for GDPR contact us to discuss where you can get help.