Did you know you could be fined up to €20 million (or 4% of turnover if less) if you don’t comply with the new regulations after May 2018?
This applies to all UK businesses and will NOT be affected by Brexit. GDPR will supersede the current Data Protection Act!
What does GDPR do?
Although large and complex, it can be summarised as “designed to protect the data of EU citizens and residents, wherever stored”, but what does that mean in reality?
All businesses will have to demonstrate how they are complying with these new regulations…so you only have a few months to get systems in place!
Don’t forget, this is not just electronic data, it includes all paperwork and files kept by the business (either in the office or in storage).
What does this mean for my business?
You will need to identify:
- What data is being held – both electronic and physical (e.g. paper files on staff)
- Why data is being processed
- How data is being processed
- Who has access to the data (physical, electronic, local and remote!)
- Who is processing the information
- How such data is protected (if at all?)
You will also need to establish policies for handling, processing and retaining data in order to demonstrate compliance.
Individuals will have rights to be forgotten with all data pertaining to them being deleted, where legislation allows. This is why organisations need to be able to quantify what they hold, where it is held (location and format) and who has access to it. Systems need to be implemented allowing personal data, held in both electronic and paper form, to be located and deleted across the organisation.
What should I do next?
Carry out a review of your processes and policies, but bear in mind this should be relevant to the size, complexity and type of business and more importantly, the data you collect.
For example, a chemist, doctors surgery or dentist with turnover of £0.5m may collect a lot of personal data and as a result, their GDPR policies and systems may need to be far more complex than a manufacturer with turnover of £50m!
Where can I get more information
While we are not data experts and cannot, therefore, perform your data reviews for you, there is good information available at www.ico.org.uk. We also have a GDPR guide for electronic systems from ICAEW – please email Ian Smith at firstname.lastname@example.org for a copy.
Next month we will expand on the review process, identifying data (especially personal), the systems needed to notify breaches in security and other GDPR requirements.