European General Data Protection Regulation (GDPR)
New European General Data Protection Regulation (GDPR) is coming into force on 25 May 2018.
Are you and your business ready for it?
What is GDPR and how is it relevant to your business? Here is quick summary for you to dive into more details
- It will change how businesses and public sector organisations can handle the information of customers.
- There are monetary penalties for noncompliance with GDPR. Smaller offences could result in fines of up to €10 million or 2% of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or 4% of a firm's global turnover (whichever is greater).
- Both personal data and sensitive personal data (broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address, email address, and so on) are covered by GDPR.
- GDPR replaces the previous 1995 data protection directive.
- Businesses need WRITTEN consent from existing or potential clients/customers to send them marketing/promotional material via emails.
- You won’t need consent for postal marketing.
- Review your email and website sign up material and remove any ‘pre-ticked’ boxes – as these are not permitted under GDPR.
- Under GDPR, the “destruction, loss, alteration, unauthorized disclosure of, or access to” people’s data has to be reported to a country's data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
- For companies that have more than 250 employees, there’s now a need to have documentation of why people’s information is being collected and processed, descriptions of the information that is held, how long it’s being kept for and descriptions of technical security measures in place.
- As well putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals a lot more power to access the information that's held about them. At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them. Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge. When someone asks a business for their data, they must stump up the information within one month.
- To help prepare for the start of GDPR, the ICO has created a 12-step guide – you can find GDPR guidance here.
As well as this guidance, the ICO has created a telephone helpline to help small businesses prepare for GDPR (call 0303 123 1113 and select option 4). The service provides answers about how small companies can implement GDPR procedures.