The General Data Protection Regulation (GDPR) comes into effect from 25 May 2018, and is a data protection regulation that your business needs to be thoroughly prepared for. Your data handling procedures may need to change. There are some things that you could do to make sure your business is fully prepared
We’ve put this guide together to highlight some of the things you can do in preparation.
The new GDPR brings with it eight key rights for individuals, and your procedures and policies may need to be updated and tweaked in order to guarantee that you can follow through on them.
The eight rights for individuals you need to keep in mind at all times are:
Fines under the existing Data Protection Act have an upper limit of £500,000. Fines under GDPR, however, can be up to €20 million or 4% of worldwide turnover, whichever is higher.
As a result of the new rights of individuals, you may have to alter your current data handling procedures.
For example, a good starting point is to look at exactly what personal data you currently hold, and what you use it for. Are you collecting more information than is strictly necessary for your purposes? GDPR cracks down on frivolous data collection, meaning you need to only collect and keep exactly what you’ll use.
Think of how any documents you have for customers to sign when taking on your services. Are they worded clearly enough? You may need to rewrite some documents to ensure that your customers know how (and why) you are processing their data, and to comply with the requirements set out in the GDPR. The information you supply about the processing of personal data must be free of charge, concise, transparent, clear and in plain language.
Additionally, new processes might need to be created from scratchfor certain requests, such as transferring and deleting of personal data – as well as verifying the identity of individuals before you follow through with those requests.
For most small businesses it won’t be a legal requirement to appoint a data protection officer (DPO). However, it may be beneficial to your business to allocate someone on your team that is responsible for your data obligations.
The DPO’s tasks should include advising the organisation on data protection laws, monitoring compliance, conducting internal audits and being responsible for communication of data breaches.
GDPR is a change in how data protection and data handling operates for businesses. It could affect your business in many different ways, from taking on new responsibilities to the additional time and costs you might need to make changes to processes in your company. So it’s wise to use a third-party expert to help do the work for you.
FSB members are supported with advice and guidance to develop simple step-by-step plans to prepare their business for, and maintain, GDPR compliance.
FSB Business Essentials members have access to:
If you’re interested in learning more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection web pages. The services are included as standard with our Business Essentials package. Please take a look at our product comparison page to find out about the benefits of this package and our others.