GDPR (General Data Protection Regulation)
Are you prepared for GDPR?
Ignore it, and your business is at high risk of a massive fine. Why?
Because the General Data Protection Regulation (GDPR) comes into effect in the UK, unifying the law across Europe.
GDPR is new legislation to replace the UK Data Protection Act. It adds huge legal responsibility for the safe use of data directly onto your shoulders, which any business owner ignores at their peril.
A year ago, TalkTalk was fined £400,000 for data security failings. Under the new GDPR fine regime that would be… £59 million.
So, if it hasn’t hit home yet, your business needs to prepare now. And no, Brexit won’t save UK businesses from this legislation. It’s going ahead…
Who does GDPR affect
Everyone. But especially an employer or business owner – that’s you!
That’s because you control personal data. The term ‘data’ itself refers to any personal information you store.
If you have employees, you should at least have their contact and bank details. That’s data. Staff performance reviews, attendance records – all data.
On the surface, following GDPR is like current legislation, in that you must demonstrate secure data storage and respect data owners’ rights. But huge changes are on the way…
The main changes under GDPR:
The problem with the current legislation is that technology has moved far faster than UK Data Protection Act could keep up with.
Rather than adding more amendments to laws that already lagged way behind how we live our online lives, GDPR will arrive to give people control of their personal data. Here’s how:
• The right to be informed – where you state in your privacy notice how you process information fairly.
• The right of access – consumers can get access to their data and find out how you’re using it.
• The right to rectification – people can ask you to update any inaccurate or incomplete data.
• The right to erasure – commonly called ‘the right to be forgotten’. People can ask you to delete or remove their personal data.
• The right to restrict processing – where you’re allowed to store but not process personal data.
• The right to data portability – allows people to get their data from you for their personal use.
• The right to object – people can opt out of you profiling them based on their data, direct marketing to them, or using their data for research.
• Rights in relation to automated decision making and profiling – protection against mistakes where humans are not involved in data processing.
What you should do now:
If 25th May 2018 seems like a long way away, it isn’t. But there is still enough time if you act now.
Pink Connect have prepared a process your business can follow to identify “the gap” between where you are now and where you need to be by 25th May. We have experts in GDPR ready to either guide you to compliance, or to project manage and resolve compliance for you. This will:
• Make sure people in your business know that the law is changing.
• Create a register of the personal information you hold, where it came from, and who you share it with.
• Review your current privacy notices for the data you store and prepare to change them for GDPR.
• Get consent to store, manage, maintain and use personal data.
• Check that you can honour the rights of individuals.
• If someone asks for their data, you should be able to give them it in a secure, standard format.
• If someone asks you to remove their data, make sure you can prove you’ve done so.
• Put in place a process for handling requests for any of the data you hold, including how quickly you will respond, how you will provide it, and how you will assure requesters that they own it.
• Decide if you need a system for identifying the age of individuals and whether you need parent or guardian consent.
• Have an emergency plan in case you lose data or someone steals it.
• Nominate a responsible person to be your Data Protection Officer.
• Put in place the hardware and software needed to secure your network against hacking, Ransomware and malicious attack.
• Put documentation in place that proves you have done all that could reasonably be required to comply. It is not enough to just comply, it is essential you can prove you took all the steps required by GDPR to avoid a potentially bankrupting fine
The sooner you start preparing, the sooner you get your house in order, and the smoother the transition will be – protecting you against a devastating financial penalty.
Call one of our security experts on 0345 450 9393 today, you don’t have long.