Data protection has become something people are becoming increasingly aware of. The public want to know who owns their data and exactly what is being done with it, who it is shared with, how it is secured, retained and stored and that is where the new GDPR rules have come in.
While many people associate this with larger corporations, small businesses are also responsible for personal information and therefore it helps to know the new legislation and how it will affect your business.
What is it?
The European General Data Protection Regulation (GDPR) is set to be law on the 25th May 2018 and it will remain in place beyond Brexit, supported by the Data Protection Bill which is currently passing through Parliament. Moreover, further tightening of the law is expected,
Individuals will be allowed more rights over what companies can and cannot keep and if the regulations are found to be broken, you could potentially be fined up to £17m 20 million euros or four percent of annual turnover.
What you need to do
Some people have suggested the rules do not apply to companies with fewer than 250 employees – this is not accurate. It is important that businesses of any size, are aware of the personally identifiable data they are processing (for example health records, contact details or photos) and the correct legal basis needs to be established for any data processed, (there are 6 in total, these include consent, contract, legitimate interest, legal obligation, public interest and vital interest)
It is vital that any breaches of data protection are reported within 24 hours where possible but no later than 72 hours after the initial discovery of the breach. Data subjects will also need to be informed in some cases.
Most importantly, businesses will need to demonstrate a complete compliance programme to ensure data is processed appropriately. This will include:
• The correct legal basis;
• A legitimate reason, limited to what is necessary,
• Appropriately secured; and
• Retained for only as long as is necessary.
As well as personal data, businesses are also responsible for ensuring that suppliers are compliant, if they process personally identifiable information on the businesses behalf.
Should Personal data be requested by a data subject via a Data Subject Access Request (SAR) companies will have just one month to comply.
For some companies, a DPO may need to be appointed, to assist in compliance. For others, support may well be sought as part of a best practice model.
Businesses will also be required to show what data is kept by them, by undertaking data maps and where a high-risk is identified, they will be required to complete Data Protection Impact Assessments (DPIA’s) – this is a legal requirement under the GDPR.
We can help
While it can seem overwhelming at first, the long-term benefits to your customers and your business can be massive. Trust is a big part of customer interaction, and they are likely to be reassured if you can demonstrate that you are compliant with GDPR rules.
To find out more on how GDPR legislation will specifically affect you and what steps you need to take in order to safely handle customer data, please contact Digi Toolbox today, and we will be happy to help you.