On 25 May 2018 the new EU General Data Protection Regulations (GDPR) will come into force for all UK businesses. GDPR places a new expectation on your business to build data protection into your processes by “design and default” rather than as an afterthought and there are enhanced fines for data breaches as a result. While the UK is leaving the EU in 2019, all of the GDPR rules will be written into UK law before then so we all need to comply.
Features of the new General Data Protection Regulations that you need to know:
- Every single breach must be assessed to decide whether it may result in a risk to the “rights and freedoms” of those you hold data on – this could be a financial risk, reputational risk or an impairment of rights and freedoms
- If so it must be reported to the Information Commissioners Office (“ICO”) within 72 hours and to the individuals who may be affected “without delay”
- A new role of “Data Protection Officer” is created
- Data is expected to be “minimised” or stored in as few places as possible to ensure that it is kept under control
- Mandatory Data Protection Impact Assessments must be carried out for all new projects
- A “right to be forgotten” is created in addition to the existing right to request all information you hold on an individual.
There is still time to prepare for GDPR
Fines for non-compliance can be up to the higher of 4% of global turnover or EUR20m, and while the regulators are initially expected to take a lighter touch they will take a dim view of wilful non-compliance and lack of care over data. There is still time to prepare for the new General Data Protection Regulations and we suggest you ask yourself these questions:
- Are we happy we understand what data we are holding?
- Have we updated our Data Protection Policy and trained all of our staff in best practice?
- How do we protect our data when staff work from home?
- Do we encrypt all mobile devices which contain personal data?
- Do we actively minimise the data we hold including deleting information we no longer need?
- Do we ask clients/targets to opt in to marketing information rather than presuming consent?
At Backhouse Solicitors we have put together a comprehensive GDPR training package and its impact which is now available to all of our clients. Our “Understand” workshop teaches senior managers what is required under the new rules and how to start planning for their introduction. Our “Plan and Initiate” workshop takes this a step further and works with senior management to develop a companywide plan to integrate GDPR into the business.
To find out more and to book a training session for your business please contact us today on 01245 893400.
The Backhouse Solicitors Team
Tel: 01245 893400