Solicitor and Head of Commercial Law with Jordans Corporate Law Limited, Simon Bates, shares his views on the upcoming GDPR regulations.
If, like many business owners, you’ve convinced yourself that GDPR doesn’t apply to you because you believe you don’t deal with consumers and you don’t handle personal data then you need to stop and think again.
Just ask yourself the following 3 questions:
- Do we have any employees?
- Do we receive or send emails even if only to business contacts?
- Do we store contact details for individuals even if they are business contacts?
If the answer to any of these questions is “yes”, your business is processing personal data and GDPR, which governs how businesses must handle that data, unquestionably applies to you.
The General Data Protection Regulation or GDPR is new data protection law that comes into force on 25 May 2018.
A business looking to comply with GDPR should take the following steps:
- Management must commit to the business becoming GDPR compliant. Businesses can be fined up to 4% of its annual turnover or €20m (whichever is the greater), so this alone should be incentive enough to take GDPR compliance seriously.
- Understand exactly what personal data your business holds, how it is stored and used. You cannot hope to comply unless you know what your business is doing with the personal data it holds.
- Undertake a GDPR gap analysis to ascertain the areas where the business needs to make changes.
- Implement the changes and, in particular, evidence your GDPR compliance through appropriate policies and procedures. Demonstrating your compliance is an important new requirement of GDPR.
- Train your employees on GDPR compliance. Don’t let all the good work you’ve done on compliance go to waste because of the unfortunate actions of an untrained employee.