European General Data Protection Regulation (GDPR)
The new European General Data Protection Regulation (GDPR) came into force on 25 May 2018.
Are you and your business compliant to it?
What is GDPR and how is it relevant to your business? Here is a quick summary for you to dive into more details.
It will change how businesses and public sector organizations can handle the information of customers.
There are monetary penalties for noncompliance with GDPR. Smaller offences could result in fines of up to €10 million or 2% of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or 4% of a firm's global turnover (whichever is greater).
Both personal data and sensitive personal data (broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address, email address, and so on) are covered by GDPR.
GDPR replaces the previous 1995 data protection directive.
Businesses need WRITTEN consent from existing or potential clients/customers to send them marketing/promotional material via emails.
You won’t need consent for postal marketing.
Review your email and website sign up material and remove any ‘pre-ticked’ boxes – as these are not permitted under GDPR.
Under GDPR, the “destruction, loss, alteration, unauthorized disclosure of, or access to” people’s data has to be reported to a country's data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about. This can include but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organization finds out about it and the people it impacts also need to be told.
For companies that have more than 250 employees, there’s now a need to have documentation of why people’s information is being collected and processed, descriptions of the information that is held, how long it’s being kept for and descriptions of technical security measures in place.
As well as putting new obligations on the companies and organizations collecting personal data, the GDPR also gives individuals a lot more power to access the information that's held about them. At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them. Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge. When someone asks a business for their data, they must stump up the information within one month.
To help prepare for the GDPR, the ICO has created a GDPR guide and a telephone helpline for small businesses (call 0303 123 1113 and select option 4). The service provides answers about how small companies can implement GDPR procedures.