GDPR -Protecting your Data and protecting your business
The General Data Protection Regulation (GDPR) is a set of EU rules that govern the collection and processing of personal data. GDPR came in to force on 25th May 2018 and is one of the biggest shake ups in data protection and online privacy that businesses and organisations have had to adjust to.
The tougher rules mean that all businesses and organisations that process personal data should carry out an audit of all data they store and process, detailing in the audit such matters as what data they hold, how they process that data, how long they store that data for and the legal basis for storing the personal data. Businesses will need to review their policies, their procedures, their security measures to ensure they meet the strict requirements of GDPR.
If you handle individuals’ personal data you need to be aware of what their rights are under the regulation. Individuals’ rights in respect of their personal data under GDPR are:
1) The right to be informed
2) The right of access
3) The right to rectification
4) The right to erasure
5) The right to restrict processing
6) The right to data portability
7) The right to object
8) Rights in relation to automated decision making
Before a business or organisation processes personal data they should determine the lawful basis for processing that data. There are 6 lawful bases that can apply, which are:
a) Consent b) Contract c) Legal obligation d) Vital interests e) Public task f) Legitimate interests
If despite the policies, procedures and security you put in place to protect personal data you suffer a personal data breach that results in a risk to people’s rights and freedoms then you must report the breach to the Information Commissioner’s Office without undue delay and at the latest within 72 hours of becoming aware of the breach.
For those businesses who are tempted to ignore GDPR and hope they can carry on as normal, they should take heed of the potential fines that can be levied for breaches of GDPR. Under GDPR fines of up to 20 million Euros or 4% of turnover can be imposed. In addition there is the reputational damage and the potential for a civil claim where an individual’s personal data has been compromised. In contrast if you comply with your duties under GDPR you may have a competitive advantage, gaining a reputation for trustworthiness and professionalism.
For a lot of small businesses, GDPR is something they are afraid of, but if you take a systemic approach, get the help you need and do not stick your head in the sand, then there is no need to panic. GDPR was not put in place to punish businesses but to protect all of us.
The above information has been provided for informational purposes only and does not constitute legal advice.