The EU General Data Protection Regulation (GDPR) is the biggest ever shake up to data protection laws, yet many businesses feel unprepared.
With the GDPR’s introduction taking place in May 2018 and the UK not leaving the EU until 2019 at the earliest, Brexit will not affect the introduction of the GDPR in the UK. The UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.
This means now is the time to put the processes in place to ensure you are compliant.
Any company, big or small, will have to comply with the new regulations regarding the secure collection, storage and usage of personal information. Failure to do may be met with heavier fines or other regulatory censure. What’s more, individuals can sue you for compensation to recover both material damage and non-material damage, like distress.
The core objectives of the GDPR is to give individuals more transparency and control of their personal data and to unify the regulation within the EU. It is making companies across the EU think seriously about data protection.
Does it apply to you?
If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data. That includes present and past employees and suppliers, not just client data.
If it’s a routine occurrence, then you should abide by the GDPR. In a nutshell, any businesses affected by the Data Protection Act (DPA) will also fall under the GDPR. The key difference between the DPA and the GPDR is that the latter will be much stricter in what is defined as personal data, the scope and the requirements.
Understanding the type of data that will be affected under the GPDR is one thing, but having to find out where that data is held may not be as easy. For example, think of personal emails sent and received by your staff that may have been lurking on your server for years. Every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.
It’s a complex task, and data discovery technology can help. Many IT consultants are offering GDPR toolkits and the Information Commissioner’s Office offers some helpful guidance.
A big plus to all of this is that you will probably emerge with more structured data and be able to monitor and manage it easily in future. You’ll also be in pole position to respond to Subject Access Requests (SARs) – when individuals ask to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.