This post was written by Iain Garfield, Head of Commercial Team at BPE Solicitors, as part of our Gloucestershire Expertise series. We are giving local leaders the opportunity to share their knowledge and experience, to help other ambitious enterprises grow. If you would like to contribute to the series, please email email@example.com
On the looming legislation, Iain writes...
What is GDPR?
The General Data Protection Regulation comes into effect on 25 May 2018 and is designed to provide a framework for keeping personal data safe and to protect individuals from unsolicited or intrusive contact from organisations.
Who does GDPR affect?
GDPR will touch every business to some degree. Some organisations, including retailers, large employers, e-commerce businesses and data houses, will be particularly affected and contracts with third parties and suppliers will need to be checked to ensure that the businesses you work with also comply. Don’t overlook the data you hold internally about your employees either, as this is also subject to GDPR.
Why is GDPR so important?
GDPR will essentially replace the existing Data Protection Act but its regulations are wider reaching, including broader definitions of ‘personal data’, more information to be given to individuals, strict timeframes for reporting issues to the ICO and the need for some businesses to appoint data protection officers. Potential fines for non-compliance are also high and could reach €20 million or more for some organisations as they are based on a percentage of worldwide turnover.
Myths and misconceptions
- GDPR will only affect big businesses. GDPR applies to all businesses that hold data on EU citizens and will continue to apply when the UK leaves the EU.
- You don’t have to worry about GDPR if the information is already in the public domain. Information must be processed according to GDPR regardless of its source and, if you want to send marketing information, you must satisfy one of the statutory grounds beforehand, regardless of how accessible the data is.
- Regulations surrounding sensitive data remain the same. In fact there are three new categories of sensitive personal data, and data relating to criminal records is now treated entirely separately. There is also a different set of statutory grounds to satisfy before you can process sensitive data.
- Most companies won’t need a specific data protection officer (DPO). The need for a DPO relates to the activities of your organisation and the volume of sensitive personal data you process, so a formal DPO could well be mandatory for smaller organisations as well as larger ones.
- We don’t need to worry about Data Protection Impact Statements (DPIA). Some organisations, particularly those processing large volumes of sensitive data or data relating to criminal convictions will need to complete a DPIA. It will also be needed if you process data primarily using new technology or in an automated manner.
A few quick wins...
- Carry out a data audit
- Check how you currently get consent to hold data (and whether you need consent at all)
- Make sure that your business contracts are in order, both with your clients/customers and with third party suppliers who may need to process data to perform their role
There is still time but the sooner you start this process the better. Cleaning your current data will be much easier without the pressure of a looming legal deadline. The requirements under GDPR are becoming clearer each week and we are expecting further information relating to GDPR in terms of marketing to become available soon.
The amount of data that organisations are able to legitimately hold will undoubtedly reduce as a result of the introduction of GDPR. In the case of marketing data however, the data held will be cleaner and more accurate, allowing organisations to interact with contacts who are actively engaged with the business.
For more information about GDPR and how it could affect your business, visit www.bpe.co.uk/gdpr.