From 25 May 2018, the new legislation will change the face of data protection as we know it, and businesses need to be well-prepared, as fines for non-compliance are frighteningly high. For the most serious breaches, the Information Commissioner’s Office will be able to issue fines of up to 4 per cent of global turnover, or €20 million, whichever is higher.
In order to comply with the GDPR, all businesses must ensure that they process data in accordance with the six new principles. The data must be collected for specific purposes, processed fairly and lawfully, and it must be accurate and kept up to date. Data should be stored securely and kept for no longer than is necessary.
In addition, there are increased rights for the individuals whose data is held. Some of these are very similar to rights under the current law, but the right to be forgotten and the right to data portability are new, and the right to access data has been improved.
In order to prepare for these new rules, Hethertons recommend that you carry out an audit on the data you hold, including how you obtained it and what you use it for. You also need to check how secure the data is, who has access to it and whether you ever transfer it to other people outside your business.
Businesses will need to make sure that they have a lawful basis for using the data and, it is vital to provide a privacy notice to individuals to tell them what type of data you hold on them and what rights they have in relation to that data.
The GDPR rules are very complex and there is a lot of preparation to do by 25 May. If you are not yet fully prepared, call David or Jo on 01904 528200 for practical advice on what to do next.
You can see the Hethertons GDPR Essentials and GDPR Plus packages by clicking here: www.hethertons.co.uk/for-businesses/employment-law/general-data-protection-regulation/.