GDPR is a new legislation that comes into force on the 25th of May 2018, and it will affect all organisations that store personal information about individuals, this legislation includes businesses.
The General Data Protection Regulation (GDPR) will give people more rights into how their personal information can be gathered, stored and used. Every business will need to comply to the regulations being set out by this new legislation by the 25th of May, not doing so can incur strict penalties.
Many businesses already comply with what is being brought in by GDPR, however, time should be invested into making sure that your business is fully compliant, so as to avoid any possible penalties.
If the GDPR legislation is new to you, here is an outline of the basic information that you need to know:
-
GDPR brings in new and updated rights for individuals regarding their personal data, and your business must have a legitimate, legal reason for holding a persons information. There are 6 possible legal bases that a business can use for holding data, make sure that you are aware of these.
-
Anyone who has their data stored by your business can request to see a copy. This would include everything that is stored about that person, whether it be on spreadsheets, databases, documents, USB sticks or printed paper. A copy must be given within 30 days of the request being made. (There is an exeption if the commuication mentions another subject) Should a person make this request electronically, such as by email, then information must also be supplied electronically. For businesses using paper based systems, you will need to transfer all of this information to an electronic form.
-
An individual may request for all their information to be erased, should a request be made, the business must comply by removing all their data, if the data has been shared with a third party, they too must be informed. There are exceptions to this right, such as for child protection purposes, for Gift Aid claims, or should the business have another legal basis for holding the data. You will also need to make any consequences of erasure clear to the individual.
-
Transparency is key to GDPR, the business must provide accessible information to individuals about how their personal data will be used. A comprehensive Privacy Notice therefore, must exist, outlining in detail all your plans for an individual’s data. If your business does not have a Privacy Notice then you can purchase a Draft Privacy Notice from our website.
-
Whilst your business doesn't necessarily need a Data Protection Officer in place, you will need to appoint someone to be responsible for data protection within your business. This person should be named within your business’s Privacy Notice so that everyone knows who they should contact, should they have any data-related concerns.
A lot of GDPR is common sense, treating an individual's data the way that you would want your own data to be treated, however it is important that businesses understand what is required of them under GDPR so as to ensure full compliance. You can work through this GDPR Checklist to help meet compliance, however, we recommend that you seek legal counsel to ensure that your business is completely compliant with GDPR.
________________________________________________________________________________________________