The General Data Protection Regulation (GDPR) is a set of EU rules that govern the collection and processing of personal data. GDPR came in to force on 25th May 2018 and is one of the biggest shake ups in data protection and online privacy that businesses and organisations have had to adjust to. The tougher rules mean that all businesses and organisations that process personal data should carry out an audit of all data they store and process, detailing in the audit such matters as what data they hold, how they process that data, how long they store that data for and the legal basis for storing the personal data. Businesses will need to review their policies, their procedures, their security measures to ensure they meet the strict requirements of GDPR. If you handle individuals’ personal data you need to be aware of what their rights are under the regulation. Individuals’ rights in respect of their personal data under GDPR are: 1) The right to be informed 2) The right of access 3) The right to rectification 4) The right to erasure 5) The right to restrict processing 6) The right to data portability 7) The right to object 8) Rights in relation to automated decision making Before a business or organisation processes personal data they should determine the lawful basis for processing that data. There are 6 lawful bases that can apply, which are: a) Consent b) Contract c) Legal obligation d) Vital interests e) Public task f) Legitimate interests If despite the policies, procedures and security you put in place to protect personal data you suffer a personal data breach that results in a risk to people’s rights and freedoms then you must report the breach to the Information Commissioner’s Office without undue delay and at the latest within 72 hours of becoming aware of the breach. For those businesses who are tempted to ignore GDPR and hope they can carry on as normal, they should take heed of the potential fines that can be levied for breaches of GDPR. Under GDPR fines of up to 20 million Euros or 4% of turnover can be imposed. In addition there is the reputational damage and the potential for a civil claim where an individual’s personal data has been compromised. In contrast if you comply with your duties under GDPR you may have a competitive advantage, gaining a reputation for trustworthiness and professionalism. For a lot of small businesses, GDPR is something they are afraid of, but if you take a systemic approach, get the help you need and do not stick your head in the sand, then there is no need to panic. GDPR was not put in place to punish businesses but to protect all of us. If you would like advice on GDPR and help with drafting the necessary documentation or you would like suitable training presented to your staff please contact Shane McCann at PA Duffy Solicitors on 028 8772 2102 or email Shane at shane@paduffy.com. The above information has been provided for informational purposes only and does not constitute legal advice.