The clock is ticking to ensure that your business is prepared for General Data Protection Regulation (GDPR) compliance.
When the new regulation is introduced later this month on 25 May it will supersede the UK Data Protection Act 1998 (DPA). It will tighten up how organisations in the UK and EU store and handle data, and expands the rights of individuals to control how their personal data is collected.
We at Business West are busily working on becoming compliant. We’re not GDPR experts, and don’t claim to be experts, but we’ve pulled together a few key considerations to try to help you make sense of the compliance and sign post you to the right advice.
What you need to be aware of
If your organisation is already complying with the Data Protection Act (1988) then it is worth identifying what changes will need to be made so you can quickly progress with your preparations to comply with the GDPR. The Information Commissioner's Office (ICO) have put together a handy self-assessment toolkit which can help with this, if you need.
Failure to comply with GDPR 2018 could incur costs referred to as Administrative fines. These are discretionary rather than mandatory and they'll only be imposed on a case-by-case basis, but you could face fines of up to €20 million, or 4% annual global turnover - whichever is higher, if your organisation does not comply.
However, it is important to note that not all infringements will lead to serious fines. The ICO has a range of corrective powers and sanctions such as issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, to enforce the GDPR.
How to prepare your organisation for GDPR
The GDPR will have a varying impact on businesses and organisations; for example, not every company will require a Data Protection Officer (DPO) because they have a dedicated member of staff reviewing their current positioning and building a strategy for compliance. That said, processing of personal data by all organisations which can lead to the identification of a person, not just you, will have to comply to avoid potentially damaging fines – not to mention limiting damage to your reputation.
The ICO have created a 12-step guide which includes steps such as making key decision makers aware that the law is changing, checking procedures to ensure they cover all the rights individuals have and making sure that you have the correct procedures in place to detect, report and investigate a personal data breach.
As well as this guide, the ICO also have a dedicated advice line to offer help to small organisations and charities preparing for the new data protection law, including the GDPR.
There are also some practical measures which you can start to implement ahead of 25 May, this includes;
- Running an internal audit of how you store and share files throughout the business
- Communicating opt in / opt out preferences for marketing and making it easier to unsubscribe if required
How you, as an individual, can prepare for GDPR
Along with the designated colleague who is taking responsibility for data protection compliance, and / or a designated Data Protection Officer (DPO), there is a lot which individuals within an organisation can do to help stay on the right side of the new data protection law;
- Always flag a concern about data breaches with your DPO (or equivalent) – if in doubt, make them aware
- Be careful when passing information between departments or “partners” to ensure the data doesn’t end up in the wrong hands
- Clear desks of papers which display contact details and other sensitive information
- Password protect files, laptops and phones
- Clear down caches
The ICO says:
“Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principals of the GDPR.
Tell it all, tell it fast, tell the truth.”
We can help too...
As mentioned earlier, we’re not GDPR experts, and don’t claim to be experts, but the content and events featured on our dedicated GDPR hub is provided by experts in the field, with the aim to help you to make sense of compliance and sign post you to the right advice .
Our Professional Advice Service (PAS) is a free, exclusive service to Chamber of Commerce members. To help prepare your organisation for GDPR compliance, call 0800 980 2789 or email firstname.lastname@example.org.
Let us help you
By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business