A new piece of European legislation comes into force on 25th May which will affect every business in Europe and many beyond. The GDPR (General Data Protection Regulations) intends to unify the legislation on data protection throughout the EU. What is concerning is that many businesses do not seem aware of the changes, of the action they should be taking or the large fines (up to 20 million euros) that they may face.
The first place to go for information is the Information Commissioner’s website at www.ico.org.uk where there is, quite frankly, a frightening amount of information on GDPR. Whilst you should take the time to read through this and check your compliancy with GDPR before it comes into force in May, I will attempt to summarise some of the key points for the smallest businesses, although you should check this advice and if you are not sure on any point consult a solicitor or other suitable advisor.
What data is covered by GDPR?
The legislation applies to personal data. At the most basic this is a name, an address, email address or any other information that can be related to a name. Even information that has been given a pseudonym can be included if it’s possible to guess who the data relates to. Electronic and paper data is covered by GDPR.
All businesses are vulnerable to data attacks, or breaches. We have all heard horror stories of businesses having data stolen and the consequences of this to the individuals who have had their data taken. No business is too small not to be a target and hackers, particularly, may target smaller businesses as they often have less protection.
Under GDPR, most breaches will have to be reported within 72 hours and if it’s a serious breach all the affected individuals will also have to be contacted. Full details of the breach will have to be provided.
The time to examine your email, online storage, computer systems, mobile phone security, paper filing and other systems is now.
If you send marketing material to any individuals, you will need to obtain their express consent. This means that you need to ask everyone on your list to take action, such as confirming that they wish to continue to receive information from you by ticking a box or clicking a link.
If you have a website you may need to update your privacy statement and your terms and conditions. You may also be advised to write a security policy.
Registration with the ICO
Many small businesses will be exempt from registering as a data controller, but you should check with the ICO. If you need to register there is a £35.00 fee. Don’t fall for one of the many registration scams out there which will relieve you of far more, contact the ICO on their helpline number 0303 123 1113.
How do I Prepare?
In order to prepare for GDPR, as already mentioned you should read through the information on the ICO website and then decide what action you need to take. Think about how you collect data, how you store it and how you can protect it, to start with. Write down each area you need to consider, then what action you need to take and keep this document safe.
It is now late in the day and preparing for GDPR can take up a lot of valuable time, but it is always better to be prepared than to suffer the consequences of a serious breach and what could be a very nasty fine.
At Turl & Co we have been preparing for GDPR for some time and will have new processes in place in time for the May introduction. This will mean that we may soon be contact you to request that you consent to stay in our email list and may mean that in the future you will need to enter a password to see confidential information that we send you.