Scope of GDPR
The General Data Protection Regulation (GDPR) will come into force from May 25, 2018 onwards, two years after its adoption in April of 2016.
The regulation must be observed by any companies with more than 250 staff, which on the face of it may give the impression that many UK small businesses will be exempt. However it isn’t quite that simple. All businesses must still comply if involved in regular “processing” of certain categories of personal data, which legally is taken to include collecting and storing as well as actually using data.
Despite the UK’s voting to exit EU, businesses in UK will still have to comply with data regulations while we’re in the EU and it is strongly rumoured the law will continue following Brexit.
Key features of GDPR
If your business handles personal data of employees and customers, GDPR would apply in such cases. Whatever data is processed and stored on the cloud or mobile, all information needs to be identified according to GDPR.
The GDPR also gives the power of data handling back to the citizens who have the right to determine how their personal data will be used by businesses. GDPR also makes it possible for the citizens to have their data “be forgotten” if they do not give consent for using their personal data. The right to erasure enables citizens to request erasing of their personal data. Besides, citizens also get the right to port their data across different electronic or digital processing systems.
Reporting of breaches in security of data also needs to be reported within 24 hours at a minimum and a maximum of 72 hours to the Information Commissioner’s Office (ICO). The ICO can levy a penalty of £500,000 for data malpractice while the GDPR can levy the higher of €20 million or 4% of annual business turnover.
What should your business do?
The first key step is to identify where all customer and employee data resides, once you have a clear picture you’ll need to engage with an IT support provider to introduce measures and software to proactively protect sensitive data. It’s critical that any breaches can be avoided, but if they do occur they must be reported upon and monitored to avoid fines.
For any help you may need with GDPR, please get in touch.