GDPR (General Data Protection Regulation) is the result of four years of work by the EU. Essentially it is an update on the Data Protection Act 1998, looking at the way data is used and to ensure that anything that is sensitive is properly secured.
The idea is that the data protection rules are consistent throughout the EU and that people feel more secure and reassured by giving more control to people about how companies use their data as well as bringing in tougher rules to clamp down on any misuse.
But what about Brexit?
With Article 50 yet to be triggered this will come through before anything is put through. Therefore, UK companies will still have to abide by its rules before any alternative regulations or legislation are put in place.
How does this affect my small business?
In simple terms if your company handles anything sensitive (for example people’s addresses, bank details etc) then you need to show why you need it. Also, the idea is once you have finished using that information in a lawful way it then needs to be deleted.
Of course, this then leads to the question- what do we mean by “lawful?” This is where it becomes a bit more complicated. Lawful can refer to someone willingly giving you their information. Alternatively, it can refer to something that is essential for a specific purpose. A good example of this is medical details. A GP may well need to pass on your medical details in order to ensure you get the right treatment if you need to see a specialist.
One aspect of this will be how people consent. Under these rules you will not be allowed to have pre-ticked boxes where someone has to un-tick in order to make clear that they do not give their consent for you to share that information. It is also important that you clarify how you process the information that you have been given.
The “right to be forgotten”
A new aspect is the “right to be forgotten” whereby an individual can ask that data can be deleted. This can be because they feel the information is out of date or do not wish people to find it (if it causes personal embarrassment or refers to something that happened a long time ago). They can also ask for this if they feel that the way the data was collected was unethical. There is also the option for data to be moved elsewhere (free of charge) within one month if they ask for it.
Even with the best security systems breaches can happen. What is crucial is if this occurs you must report it within 72 hours of the breach happening and inform about what has happened, who could potentially be affected and how. If you do not comply with this then you can get fined 2% of your revenue.
If you are concerned that your business is not GDPR compliant contact Digi Toolbox today to see how we can help. Putting something in place now will prevent problems later on!