The General Data Protection Regulation (GDPR) is quite literally just around the corner – and fines for non-compliance are frighteningly high, which is why businesses need to act now to ensure they are fully compliant ahead of 25 May 2018.
From the end of next month, all businesses will have to meet the requirements of the GDPR, which will effectively replace the Data Protection Act 1998.
What fines could I face?
From 25 May, the Information Commissioner’s Office (ICO) will have the power to issue fines of up to four per cent of global turnover, or €20 million, whichever is higher, for non-compliant businesses that suffer serious data breaches.
Due to this, it is important to seek specialist advice to ensure your business is ready today.
What challenges does the GDPR pose?
The GDPR poses a number of challenges to businesses in relation to the ways in which they collect, store and handle any personal data they hold. These changes apply regardless of whether that data belongs to clients, consumers, employees, suppliers or vendors.
All businesses must be able to demonstrate how they meet the GDPR’s new ‘Six Principles’ when using personal data. The data must be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for a specific, explicit and legitimate purpose;
- Adequate, relevant and limited to what is necessary;
- Accurate and kept up to date;
- Kept for no longer necessary; and
- Kept secure.
Ahead of the GDPR’s introduction, it is important to review and record what data you hold, how you obtained it and what you use it for. On top of this, you will need to check how secure the data is, who has access to it and whether it has ever been transferred outside of your business.
Furthermore, you need to ensure that any data complies with the Six Principles – and also be aware of the eight rights granted to individuals under the new legislation, so that you are prepared in the event an individual chooses to exercise these rights.
As a minimum, you need to contact clients and customers to tell them that you hold their data. These individuals should also be given access to a privacy notice.
The rules governing the GDPR are complex and confusing – and falling foul of these rules can have drastic consequences.
If you are concerned that your business has a long way to go in order to be fully compliant, get in touch with Palmers today.