25 May 2018 is when the new General Data Protection Regulation (GDPR) law will kick in.
GDPR is a major piece of EU legislation concerning data protection that is being introduced. It will have implications for nearly all businesses.
You’ve clocked that it is EU legislation, so perhaps you’re thinking it won’t matter because of Brexit. Wrong!
We will still be in the EU when it comes into effect. And once we leave, the UK government has indicated it will introduce legislation that mirrors EU rules anyway!
It is designed to give European citizens more control over how companies use their personal data. It will be backed up with harsh penalties – does €20 million or 4% of global turnover make you take notice?
Are small businesses exempt from GDPR?
The short answer is no. Small businesses will be affected by GDPR.
If you are collecting, storing, handling or processing personal data, these rules are going to be relevant. Here are some of the issues that you will have to deal with.
Explicit opt-ins. You will now have to get explicit opt-ins where people have been told exactly what they are signing up for. You can’t collect email addresses for one purpose and then use them for something else.
Accountability and a paper trail. You must have the systems in place to record customer consent. It may also mean that you will have to document decisions you take about using data.
Breach reporting. This relates to a breach of security that leads to unauthorised disclosure of, or access to, personal data – or the loss, destruction or alteration of that data. You’ll have to report it to the regulator within 72 hours of discovery and potentially to individuals concerned. You will also have to investigate the breach and take action.
Next steps for GDPR
Although the launch date is in 2018, you need to act now. The best starting place is to understand what data you have, where it’s stored and who has access to it.
Once you have this understanding, you can start to plan. Ask yourself questions like “Do we use data solely for the purposes we have disclosed? What effect will our activities have on our data?”
We’ve given you a starting point. But there is so much detail that we can’t cover everything in one article. We’d suggest the next step is to talk to an expert.
Chris Pottrell advises businesses on strategic IT solutions. If you’d like to discuss GDPR, call Nebula IT on 01454 534 009.