• GDPR stands for the General Data Protection Regulations. These regulations originate in the EU and will replace the existing Data Protection Act.
• They will come into force on 25th May 2018
• Brexit will have no effect on the GDPR – the Government has committed to ensuring they take effect in the UK.
• Main purpose – giving data subjects (individuals) greater control over their personal data.
• Affects all businesses holding personal data – not just client/prospective client data but also eg employee data.
• Myth number one – it doesn’t affect me I am a small business (it affects all businesses).
• Myth number two – it doesn’t affect me I only sell to other businesses (it affects all personal data held by a business eg if you sell to ABC Ltd you will be dealing with a person there whose personal details – name. address, email etc – you will hold; if you have employees you hold employee data; if you recruit you hold prospective employee data).
• The key requirement is to “demonstrate compliance”. It is no longer enough just to make a decision, you will now need to document what you considered when making the decision (the legal basis for processing); what decision you made, why etc.
• This will affect all processes, procedures and documents that affect or are affected by data processing.
• Data cleansing should take place before May – i.e. get rid of any data you no longer need, but get rid of it safely to ensure no privacy breaches.
• Marketing databases are a particular concern – opting out of emails/contact is no longer enough, data subjects have to opt in. A double opt in is needed if you are to be safe under the GDPR ie the data subject needs to click on an email/complete a form AND THEN ALSO confirm that instruction by clicking in a link in a follow up email.
• All employees handling data will need training.
• This is an ongoing process that needs to be kept under review – it is not a one time only compliance exercise.
• Sanctions are either 4% of worldwide turnover or 20 million Euros, whichever is the greater.
What is Bright doing to help?
• We are providing free of charge a data mapping exercise for clients/prospects to complete. This is a time consuming but necessary first step to ensure the business knows what data it holds, where, why, who has access to it, who it is shared with etc.
• When the data map is returned to us we evaluate where the gaps are and quote to implement the necessary reviews, documents etc
What should businesses do?
• Take it seriously – appoint someone to take the lead on compliance, devote time and resource to it.
• Speak to us (of course) and complete a mapping exercise to start with
• Do not panic but do prepare.