The EU General Data Protection Regulation (EU GDPR) is one of the most important changes to data privacy in 20 years. It's an act which affects businesses of all shapes and sizes.
What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the result of four years of preparation and debate by the EU to bring data protection legislation in-line with how data is used within businesses. It has been designed to protect and empower the data privacy of all EU citizens and to reshape the way businesses approach data privacy.
When did GDPR come in to effect?
The regulation applies to all EU member states since 25 May 2018. Regardless of Brexit, all UK organisations handling personal data need to be compliant with the General Data Protection Regulation.
How does it affect me and my business?
It applies to 'controllers' and 'processors' of data. A controller states how and why personal data is processed, whereas a processor handles the overall processing of the data. This applies to all data sourced from inside the EU - even if the controllers and processors are based outside the EU, the General Date Protection Regulation still applies.
Previously, the UK relied on the Data Protection Act 1998 (DPA) for best practice use of data which imposed a maximum fine of up to £500,000 when breached. This is now superseded by a new DPA which enacts the requirements of the GDPR, enforcing fines of an upper limit of €20 million or 4% annual global turnover - whichever is the highest, if seriously breached. This could make the threat of insolvency, or even closure, all too real for many businesses so it is essential to check you are fully compliant.
QES GDPR Findings
Our 2017 Q4 Quarterly Economic Survey (QES), which ran between November and December 2017, focused on the upcoming changes to data protection and its impact on businesses in the West of England. This presentation reveals what we we learnt.
Quick check - are you covered?
- Make sure that key players in your organisation are aware that the laws of data protection are changing
- Document the personal data you hold, where it came from and who you have shared it with
- Review current privacy notices and plan for making the necessary changes in time for the GDPR implementation
- Check your procedures to ensure they cover all the rights individuals have
- Update procedures and plan how you will handle data access requests
- Identify the lawful bias for your processing activity in the GDPR, document it and explain it by updating your privacy notice
- Review how you seek, record and manage consent
- Think about if you need to put systems in place to verify ages or obtaining parental / guardian consent
- Ensure you have the right procedures to detect, report and investigate breach of personal data
- Adopt a privacy by design approach and orchestrate a Privacy Impact Assessment (IPA)
- Designate a member/s of the team to take responsibility for compliance
- If you have establishments in more than one EU member state, determine which state your main establishment is so a lead data protection supervisory is allocated
How we can help
The Information Commissioner's Officer (ICO) has been assisting businesses and public bodies to meet the requirements of the GDPR ahead of May 2018.
And we're here to help too:
- By providing relevant information, advice and support with best practice to local businesses across the South West.
- Our Professional Advice Service (PAS) is a free, exclusive service to Chamber of Commerce members. To check your business is GDPR compliant, call 0800 980 2789 or email firstname.lastname@example.org
- Running a small business or charity? Contact the ICO helpline if you have any questions relating to the new data protection law, including the GDPR.
Read related guides, events and advice on GDPR below...