UK businesses act to ensure GDPR compliance
The GDPR is the General Data Protection Regulation – the new law that came into effect from 25 May 2018
The General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998. It gave control of personal data back to individuals by addressing modern concerns about data protection in the digital age. All UK organisations who hold or process personal information were obliged to be compliant with the GDPR by 25 May 2018.
The way we use data has changed significantly over the last 20 years, specifically in relation to how personal data can be acquired and dealt with.
Data can be stored locally or in the Cloud, hosted anywhere in the world. All personal data relating to EU citizens, wherever it is stored and whether on paper or in electronic form, is included in the GDPR. Organisations of all sizes are covered by the legislation and it applies within the UK both before and after Brexit.
What does ‘personal data’ mean?
The GDPR takes a wide view of what constitutes personally identifiable information (PII). Companies need the same level of protection for things like an individual’s IP address or cookie data as they do for a name, address and national insurance number. Photos and CCTV images count as personal data too. Where personal data relates to children additional rules apply.
The Regulation is now live and that means new rights are in place for people to access the data companies hold about them. Companies will have been obtaining consent and clarifying their reasons why people’s information is being collected and processed by their organisation. Every business should now have clear policies for managing and holding personal data. Organisations will have thought through what they will do when they have a ‘data access request’ and someone asks them what personal data they hold about them. They should also be clear about what action they would take in the event of a ‘data breach’.
Simply having a ‘Data Protection’ policy is no longer enough.
Compliance with the GDPR
To help prepare for the GDPR the Information Commissioner’s Office (ICO) created a 12-step guide including steps such as making key people aware of the Regulation, determining what information to hold, reviewing and updating privacy notices, identifying the lawful basis for processing data and what should happen in the event of a data breach. The ICO website has been updated with guidance to assist UK organisations in becoming compliant as the 25 May approached.
We have found many organisations taking actions to make themselves GDPR compliant but it is sometimes difficult to work out when you are inside an organisation whether sufficient has been done and whether there is more still to do.
The cost of failing to be GDPR-compliant is high and higher fines can now be imposed on those who fail to meet the new standards. The maximum penalty for breaching the GDPR is €20m or 4% of global revenue, whichever is greater.
The deadline has passed to become compliant and now may be a good time for a GDPR review. We can assist by auditing and advising you on areas where you now fully comply with the legislation and areas where there may still be room for improvement. We will also support you in the implementation of any changes required.
For a no obligation discussion, please contact me.