Demanding and sweeping changes to the way organisations can store and handle personal data come into effect on 25 May 2018 making it vital that preparations begin as soon as possible to ensure compliance.
The EU General Data Protection Regulation (GDPR) will replace the Data Protection Act (DPA) and will affect all firms that deal with customer data in virtually every sector.
The aim of GDPR is to overhaul and modernise current data protection laws, which date back to the pre digital 1990s when only the largest organisations had the means to collect and store significant amounts of data.
Now, many organisations – including thousands of small and medium sized enterprises (SMEs) - routinely collect personal details, store, move and access them online and use personal data in sales and marketing and customer relationship management.
Major data breaches have become increasingly common including the theft of names, birthdates, emails and addresses as well as social security, pension and bank account details.
How will GDPR affect UK firms?
It will reach much further than existing data protection laws and the main changes are the introduction of increased accountability for both data controllers and data processors, the need for consent, hefty fines up to a maximum of £74 million or four per cent of global turnover for noncompliance and new rights granted to individuals regarding the use of their personal information (which will be much more broadly defined).
In a nutshell, GDPR means organisations must know what data they hold and where it is stored, be able to totally remove it if a request is made to do so and have the procedures in place to respond to any security breaches speedily and effectively.
What should organisations do to prepare?
According to a recent survey, 66 per cent of UK organisations either have no idea what GDPR entails or have no plans to begin preparations. And there has certainly been confusion about what organisations’ obligations will be.
Key steps businesses should take before the May 2018 deadline include:
But what about Brexit?
Many have mistakenly assumed that because GDPR is an EU framework, it will not apply to UK businesses post Brexit. But the Government’s Statement of Intent for the new Data Protection Bill published earlier this year has confirmed it will be enshrined in full into UK law.
So time is of the essence.
For help and advice about what you can to do prepare for GDPR please contact Wards Solicitors’ Business Employment team.