The EU General Data Protection Regulation is an impressive piece of legislation. Like all legislation, the GDPR is complex and open to interpretation. This is where we can help you. We can help you understand how it applies to your business. Guidance on what steps you must take to become compliant and remain so is how we can help. How to deal with a DSAR will become very important under the GDPR.
It sets out to provide individuals with protection of their personal data. The secondary goals are to balance the rights of the individual against other rights, such as, but not limited to, public interest and to make sure that a consistent rule of law is in place throughout the EU and the EEA.
Before you read on, keep calm, it is not as tough as you might think. Help is at hand and we are here to help. So don’t be afraid to ask. We can take you through the entire process whilst you get on with running your business.
So, if you’re only just hearing about GDPR, here are some of the changes to be prepared for.
Accountability and Compliance
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies and data protection impact assessments. Also having relevant documents on how data is processed is important. In recent times there’s been many data breaches reported by firms including Yahoo, LinkedIn, Talk Talk, My Fitness Pal, British Airways, Pharmacy and MySpace to name but a few. Under the GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator. In the UK, this is ICO.
If you are a company that carries out “regular and systematic monitoring” of individuals on a large scale or processes a lot of sensitive personal data then you will have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff. Some larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior management, monitor compliance with GDPR and be a point of contact for employees, customers and the regulator. We can become your DPO, ask us about our DPO as a service, facility.
There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information, they have to clearly explain what that consent is being given for and how long the data will be kept. There’ll need to be a “positive opt-in”. Where this consent is not available, great care should be taken before attempting to solicit permission and advice should be sought. Again, we can help here.
Access to your data
The GDPR doesn’t just place new obligations on the companies and organisations collecting personal data. The GDPR also gives individuals a lot more power to access the information that’s held about them. Currently, a Data Subject Access Request (DSAR) allows businesses and public bodies to charge £10 for this service. Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge.
A business or organisation must provide this data in the form that it is stored once the DSAR is received. This must be provided within one month of the request, subject to an ID check being satisfactory. Everyone has the right to get confirmation that an organisation has information about them. Access to this information and any other supplementary information must also be provided. Firms that are big technology companies, as well as smaller startups, now have to give EU subjects control over their data.
Decisions and Data Retention
Also, the GDPR bolsters a person’s rights around automated processing of data. The ICO says individuals “have the right not to be subject to a decision” if it is automatic. Should this decision produce a significant effect on a person then this is no longer allowed. There are certain exceptions but generally people must be provided with an explanation of a decision made about them.
The regulation also gives individuals the power to access their personal data. Individuals may have it erased in some circumstances. This is the GDPR right to be forgotten. It includes where it is no longer necessary for data to be kept when it is no longer used for the purpose it was originally collected. Once consent is withdrawn, there is no legitimate interest. If the data is then processed, this is unlawful and fines can be levied. Don’t keep data you no longer need. Feel free to ask our advice on data retention.
One of the most talked about elements of the GDPR is fines. Th regulator has the power fine businesses that don’t comply. Should an organisation not process an individual’s data in the correct way, it can be fined. A business or other organisation is legally required to have a data protection officer if the company has 250 employees or more. Failure to appoint one could lead to a fine. A security breach leading to a data loss could lead to a fine but damage to a business’ reputation is a greater worry for businesses owners. However, there has been great deal of scare-mongering in the marketplace. Don’t panic!
The ICO will decide upon the size of fines. The GDPR states for lesser offences could result in fines of up to €10 million or 2% of global turnover (whichever greater). Those with more serious consequences can be fined up to €20 million or 4% of a firm’s global turnover (whichever the greater). These are larger than the £500,000 maximum penalty the ICO could previously wield under the Data Protection Act of 1998. According to analysis, the fines could be many multiples higher under the new regulation. The reality is that the fines are not Those that that have been issued have high but not to the point where they could lead to the failure of a business.
With our full service offering, we can help you become compliant to the GDPR. Alternatively we can help you to compliance from where you are today. Feel free to call us and we will carry out an initial consultation. This can be on the telephone, via Zoom or in person. We can then provide you with a tailored quote for the services you will need for fixed price. Click here to fill out a contact form or call 03333 22 1011. If you want to view the full version of the legislation, please click here.