Data protection rules are changing on 25th May 2018, is your business ready? General Data Protection Regulations (GDPR) is the new European agreed framework for data protection laws and replaces the current Data Protection Act. It is a series of new data protection rules designed to standardise data privacy laws across the whole of Europe. Its aim is to make businesses think seriously about data protection and to provide greater protection and rights for individuals. It will introduce even stricter rules about the way businesses can gather, store and use personal data. As a business it is your responsibility to comply with these new rules or risk facing hefty fines. At Data Computer Services we provide professional IT support services and will work closely with our customers to help them meet their GDPR obligations.
Will Brexit affect GDPR?
No, the government has confirmed that GDBR will come into force in May 2018 and post Brexit the UK is implementing a new Data Protection Act which will largely mirror the GDPR (with a few minor changes)
Will GDPR affect my business?
Most likely, yes. Any company, regardless of size, that processes ‘Personal Data’ or ‘Sensitive Personal Data’ that can be used to identify a person is subject to GDPR (although there are some concessions to the GDPR for companies with fewer than 250 employees). ‘Personal Data’ includes data such as name, address, IP address, even information held under a pseudonym is included, if the person can be identified from it. ‘Sensitive Personal Data’ includes information held about a person’s religious beliefs, cultural identity, political opinions, racial information, sexual orientation etc. In addition, the rules don’t just apply to the data you hold about your customers, it also includes the data you hold about your suppliers, partner companies and even your own employees.
Will I need to hire a Data Protection Officer (DPO)
Although large businesses and public authorities are required to appoint a designated DPO, GDPR has made some concessions for small businesses and most will be exempt from this. If this is the case, it might still be worth appointing a member of your existing staff to this role and ensuring that they are properly trained up in GDPR rules and regulations.
What changes will I have to make to comply with GDPR
Even though small or medium sized businesses will generally handle far smaller volumes of data than larger businesses, the necessary procedures still need to be in place to protect the data and deal with requests. It is important therefore that you:
1. Know your Data
Whether you keep a small spreadsheet of customer details or have a full blown automated digital capture system, GDPR applies. It is important that you know what data you hold, how it was captured, how it is held, how you use it and who else has access to it. You also have a responsibility to ensure that any data you hold and share is accurate.
2. Understand Individual Rights
Individuals will have new rights regarding their data including:
- The right to know how and why you are using their personal data
- The right to access their data. This is known as a Subject Access Request (SAR). Currently businesses are allowed to charge individuals £10 for a SAR. In May this fee will be scrapped and a business will have one month to provide this information free of charge (although extensions are available for complex requests)
- The right to have inaccurate data rectified
- The right to have their data deleted (in certain circumstances)
- The right to data portability e.g. data should be able to be exported into different formats so that it can be used/moved/copied securely from one IT environment to another.
- The right to object to their data being processed
3. Review your Method of Consent
There is also a requirement for a business to obtain consent in order to process an individual’s data. This consent has to be given in an ‘opt in’ type basis e.g. by ticking a box. This is because to comply with GDPR, consent has to be verifiable. A business will need to be able to provide unambiguous proof that an individual has freely granted consent. Clear and simple processes must also be put in place to allow withdrawal of consent.
4. Review Security
Good data security is essential in order to comply with GDPR. You must ensure that all business systems that collect process and store personal information are secure. The use of encryption is recommended for all stored data (e.g. on laptops, mobiles, USBs, databases, file servers etc.)
5. Have procedures in place for Data Breaches
It is essential that you have procedures in place to detect, report and investigate data breaches. Certain serious personal data breaches must be reported within 72 hours to the relevant supervisory body and failure to do so can lead to fines.
6. Destroy Old Data
GDPR requires that companies do not hang on to personal data for longer than necessary or use it for other purposes than was consented to.
Many SME’s fear GDPR either through ignorance of the legislation or not knowing how to prepare for the new rules. However GDPR is not going to go away and we would advise trying to get to grips with it now rather than leaving it till later, which could lead to some serious fines. Once implemented correctly it can even provide some benefits for your own business such as access to more accurate information, increased data security and no sleepless nights worrying about serious data breaches.
DATA Computer Services is an experienced IT support company in Edinburgh. If you are a small or medium sized company and need help or advise on storing, maintaining or securing your business data, please feel free to Contact Us or give us a call on 0131 657 1666