GDPR Compliance (Don’t Believe The Hype)
General Data Protection Regulations come into effect from May 25th 2018. This is just a quick post to update our clients and anyone else interested in how it may effect them in the UK. As usually with these things there will be those who wish to use people’s lack of knowledge against them so they can make a quick buck. This article is designed to help you work out if GDPR is going to be something that effects your business fundamentally or not.
What Is GDPR?
It’s basically an update to the EU’s privacy regulations that effect all business operation within the block. This means that a business does not have to be based in the EU to fall under these regulations.
What Are The Risks?
According to various sources the fines for non compliance will be up to €20 million, or 4% annual global turnover – whichever is higher. But one of the most important aspects which no business can ignore are compensation claims for damages suffered.
If not handled carefully by the ICO this could be an area for fraudulent claims against a company if an individual can win an award against a business for non compliance. We will see how this is implemented. But it is important all businesses in the EU protect or minimize their operations from this type of attack.
What Can We Do?
Here is a quick checklist to check how your business falls under the new regulations.
Does my company have less than 250 employees?
If so then you do not have to comply with most of the new regulations such as documentation of why personal data is being collected and processed, the information you’re storing or how long for. Not required to maintain a record of processing activities unless this carries a risk to the rights and freedoms of data subjects, it is a regular occurrence, or it relates to certain data like criminal convictions and offenses. So for most, existing privacy policies will cover them.
Do I need a Data Protection Officer?
No. DPOs are only a pre-requisite for public authorities, and businesses where data processing and monitoring are done on a large scale and who have to report to the ICO regularly.
Does my business conform to existing EU data protection laws?
The ICO have created an online assessment tool.
Use this to quickly determine your businesses liability.
Does my business have a ‘right to be forgotten’ procedure that is clear to my customers?
In my opinion this is the main reason these rules are now in effect. With the advance of social media platforms and the concerns around information security, there is a lot more focus on the protection and the potential misuse of data.
So it is worth taking the time to look at your internal and external processes and put in place a procedure for clients & customers to choose to have their data ‘forgotten’ from your systems. This could be achieved by adding to terms of business to a website or including details on invoices and other correspondences.
So the above steps will cover all small business in the UK. And will better prepare you for when someone wants to sell your sole trader business a GDPR solution for a national company.
But if in case your business is not in compliance, here is a more detailed list of solutions that need to be carried out. And it is also worth considering hiring a professional service to handle this implementation for you, such as the content management service provided by Mark Digital Media.
Hope this help’s someone and good luck out there!