Did you miss our January Workshop? GDPR – back to basics.
25th January 2018
We launched our 2018 Workshop programme on 25 January with the hot topic of GDPR. Our presenter for the event was Alex Kiernan from Loch Employment Law and he took us through a presentation that linked GDPR with the English Cooked Breakfast!! Some very tenuous links from Alex but the attendees seemed to enjoy them!!
If you’ve come across people in your network talking about GDPR, but are unsure about what it is and what it means for your business, you are not alone. In this blog we’ll take a look at what GDPR actually is and the implications for your business.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new regulation that governs personal data collection and processing throughout the EU. It will come into force on 25 May 2018.
In the UK, data protection legislation is currently covered by the Data Protection Act (1998). A new Data Protection Bill has been put to the House of Lords, which will update the UK’s legislation with a new Data Protection Act. This will cover the requirements of GDPR in the UK.
Why has the GDPR been introduced?
Since the last Data Protection Act was introduced in 1998, there has been an explosion in digital technology, and with it a proliferation in the use and transmission of personal data.
The GDPR aims to make data protection laws fit for the digital age, empower people to take control of their personal data, and ensure businesses are using personal data responsibly.
Where GDPR references “personal data” this is information that relates to an identifiable person, so will cover any information you hold for marketing, finance, or HR management purposes. The new regulation will cover:
- Collection and storage of personal data
- Use of, or processing, or personal data
- Alteration, disclosure and destruction of personal data
- It’s important to note that Brexit will not have an impact on the UK’s implementation of GDPR.
What are the aims of GDPR?
The main goal of the GDPR is to ensure greater harmonisation of data protection regulations across Europe, with a single standard for all countries. The regulations also mean that businesses will have to take greater ownership over the data they collect, reducing risks associated with storing personal data and implementing ways to avoid the misuse of data.
What are the key points I need to know about GDPR?
- GDPR applies to all organisations that store or process EU citizen’s data
- The individual’s rights to their data are stronger and more extensive
- The rules apply to both physical filing systems and electronic data
- GDPR breaches can incur much larger fines – up to 4% of annual turneover or €20 million
- Organisations are held accountable for demonstrating compliance, and this needs to be evidenced
- Consent to process data must be unambiguous: verifiable, clear and affirmative.
It’s also important to note that organisations will be responsible for self-reporting any breaches within 72 hours. Any third parties who handle data on your behalf (data processors) will also be liable for breaches going forward.
Your organisation’s responsibilities
Your organisation may be classed as a ‘Data controller’ or a ‘Data Processor’. In some situations, you may be both.
A Data Controller is an organisation that collects, keeps or processes data. They dictate why and how data is processed.
A Data Processor is a third party which may process certain data for a specific function e.g. A payroll provider, or IT company. A data processor has new obligations under GDPR and takes on greater liability if they breach regulations.
Some organisations are required to appoint a Data Protection Officer to monitor compliance:
- Public Authorities
- Organisations which regularly process large volumes of personal data e.g. health care providers.
Whilst it is not a legal obligation for other organisations to appoint a Data Protection Officer, you may want to consider doing so.
So what do I do next?
Our first recommendation is to understand what GDPR is - reading this blog is a good starting point. You need to understand the changes, and how they will impact on your business and we suggest that you provide training to your staff on the implications to them in their role.
Secondly, you need to carry out an audit of your data and processes – everything that you do to collect, process and store data needs to be assessed for compliance with the new rules. From here you can identify any areas where you need to make changes to your business processes.
Don’t forget, the rules come into force on 25 May 2018, so you need to ensure you are compliant by this date.
What if I need help?
Loch Associates Group is able to help guide you through auditing your current data processing. We offer a GDPR Audit service, which will help you understand you current level of compliance, and provide a report on your key risk areas. We are also able to provide training to your staff so they understand the importance of GDPR.
Please contact us at firstname.lastname@example.org or call us 01273 311855 to discuss your requirements in more detail.
The audit report you receive from us will not only help you develop your compliance plan before May, but can be used as evidence to demonstrate that you have thought about your risks, should the ICO ever request to see your documentation.
GDPR is coming and every organisation, regardless of size, will be affected. It is the responsibility of business owners to ensure their own compliance before the new rules come into force, or else risk fines they may not be able to afford.
The event was a sold out, with an ever growing waiting list so we were delighted with the turn out for our first event of 2018 and a huge thanks to Loch Employment Law and the team for presenting.
GDPR may be a dry topic but it is one that affects all of us and we need to ensure that we have the proper processes in place ready for the date in May.