GDPR stands for General Data Protection Regulation and supersedes the Data Protection Act 1998. GDPR comes into force from 25th May 2018 and affects every business that holds personal data on anyone, including customers, employees, contacts and suppliers.

“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”

Watch Information Commissioner, Elizabeth Denham, explain the new law:

GDPR is a legal directive from the European Union for the protection of personal data and, despite Brexit, the UK must still adhere to this law because a) we have chosen to, and b) our trade with other countries will be compromised if we don’t conform to the same set of standards. The important thing to note for businesses is that failure to comply with GDPR means they could be fined up to 4% of their annual turnover. The two-tiered sanctions system will apply from May 2018. Tier 1 will come into force following a serious breach of data and companies will be fined up to £17.25m or 4% of the previous year’s annual global turnover – whichever is the greatest. Tier 2 can mean fines of up to £8.6m or 2% of annual turnover, whichever is greater.

N.B. Under the GDPR, data controllers* could face more severe fines than data processors* for failing to keep personal data secure.

So what should you do to comply with GDPR?

In order to comply, you should:

  • Complete Privacy Impact Assessments (PIAs) on systems and products
  • Assess whether existing products meet GDPR regulations
  • Implement ‘privacy by design’ and ‘privacy by default’ when designing new products
  • Review your processes and permission procedures for collecting personal data
  • Record your operations and activities involving data and make sure you have the required processing agreements in place
  • Never use email to distribute information containing personal data**
  • Understand your legal obligation to notify of a data breach
  • Designate a data protection officer, if applicable to your business or organisation

How else can you prepare for GDPR?

Your staff and the third parties who have access to your data will need to understand the implication of GDPR. Start educating them now and make your policies known and accessible to all. In addition, establish internal systems for reporting a breach of data.

N.B. Policies must cover personal data stored both on and offline.

If you would like some advice or clarification on how GDPR will affect you, in particular with regard to your data storage and transfer, email marketing and Customer Relationship Management, please get in touch.

For more information about GDPR, visit the Information Commissioner’s Office website here.

*A data controller (either an individual or a business)  determines the purpose for and manner in which personal data is processed. A data processor, on the other hand, is anyone who processes personal data on behalf of a data controller (other than an employee of the data controller).

**A good solution to this is to have a client portal on your website. Data remains in the portal and clients will log in to access it.