In respect of GDPR, the EU commission’s website states:
As of May 2018, with the entry into application of the General Data Protection Regulation, there is one set of data protection rules for all companies operating in the EU, wherever they are based
Stronger rules on data protection mean:
- people have more control over their personal data
- businesses benefit from a level playing field
This includes us in the UK and will continue to be the case post Brexit.
As a business, hopefully you have started to address your GDPR issues, no matter how small or large they may be, because there’s not much time before they’re enforced in May of this year.
Of course there have been a lot of operators (mostly good, some bad) out there warning about the financial and legal implications of not being 100% compliant by then. This is where some of the Fear, Uncertainty and Doubt (FUD) arises.
Some issues to be aware of
- As a business, you will need to identify what personal (not only customer) data you may hold and process.
- Remember that your staff information is included here – such as payroll information – and the processors of this data are under your purview as well.
- Of course personal data is not only held in that really secure database of yours but probably lurks in spreadsheets or report extracts in folders on your servers, which are more susceptible to finding their way into the wrong hands, usually in error.
- Have you addressed the interfaces with any data processors, such as other businesses emailing your customers on your behalf, as well as understanding what efforts they have taken to address their internal GDPR issues which over your interactions with them?
- Do you have documentation (risk assessments) in place outlining how you have addressed your GDPR requirements? And do you have policies and procedures in place to deal with
– requests for data held,
– deletion of said data,
– any data breaches that occur and how they are to be reported?
- Lastly, but probably most importantly, are your staff aware of their responsibilities in respect of GDPR?
GDPR is in essence not something new, it’s really just a more rigorous application of the DPA (Data Protection Act) with clearly defined processes for dealing with breaches (fines, legal action, etc).
Most of it is common sense application of certain guiding principles to prevent misuse of personal information, giving the owner of the data control over how the data is used and what information is held about them.
Some useful links can be found below:
If you haven’t started yet, look here: 12 Steps
Getting ready for the GDPR an automated check list tool
GDPR – sorting the fact from the fiction, a blog by the UK ICO, Elizabeth Denham
Action taken by the ICO, a collection of various actions and fines meted out thus far (so not toothless).
And here are some definitions
Should you have outstanding issues or questions with regards GDPR, please do contact us and we will address your issues as quickly as possible.