What is “GDPR”?
General Data Protection Regulation, or GDPR, is the new law protecting personal data, which will apply in the UK with effect from 25 May 2018. It will replace the current UK Data Protection Act 1998.
Personal data is any data from which an individual can be identified. For example, this includes employee records and home contact details, online identifiers, CCTV images and call recordings, passport copies, right to work visas etc.
GDPR will impact your whole organisation, ranging from the personal data you collate for new leads (whether on email, in offices or on site) to the contact details you record for customer sales.
What will we need to do differently under the GDPR?
The GDPR introduces greater legal protection over personal data and also introduces certain new requirements, such as
- the obligation for companies to retain formal records of how they store and process personal data
- mandatory obligations to report certain breaches of the GDPR to the regulator
- mandatory obligations to report certain breaches to individuals who may be the subject of a data breach
Additionally, the upper limit for fines for data breaches under the GDPR has increased to up to of 4% of turnover. The work to implement any required new procedures and policies will need to complete between now and May 2018, to ensure you are GDPR compliant.
Every business should consider:
- what personal data they need to retain and why
- how they can work to process such data digitally wherever possible, without the use of hard copies
- defining how and when such data may be retained with established retention plans
- always deleting or safely destroying any other personal data
What do I need to do now?
- Make an audit of any personal data you may collect or deal with in your day to day roles. Note down what you use that data for and start to build a list of different types of personal data that you need, and the reasons for retaining it
- Decide how you will store any personal data electronically within appropriate company systems, and whether you actually need to process/store personal data in hard copy e.g. in filing cabinets on site. Whenever feasible personal data should be processed and retained electronically, prior to eventual deletion at the required time; hard copies should be avoided or minimised, then destroyed (shredded) or processed as confidential waste
- Get ready for preparation of the detailed GDPR policies that you will need over the next few months – these will set out what changes you must make as regards your use and storage of personal data
- Destroy any personal data in a non-secure manner. For example, no personal data should be discarded into open waste bins.
How we can help you:
- Data Collection Audit Spreadsheet
- Website Privacy Notice
- Company Data Protection & Retention Policy
- Data Processor Appointment
You can sign up for the updates and access to the toolkit here – get immediate notification.