Experts Corner: Get ready for GDPR
Raj Tandon from ADVICE4GDPR, is a certified GDPR Practitioner and fellow of IAPP and has been working with businesses manage their GDPR obligations. He is also an experienced business consultant working with a wide range of business from start-ups to SMEs.
The General Data Protection Regulation (GDPR) is new European legislation relating to the collection and processing of personal information of individuals within the EU.
It comes into force on the 25 May 2018 and businesses should be able to demonstrate compliance by this date.
What types businesses does it affect?
The GDPR applies to any business regardless of size, that collects and processes the personal data of EU citizens. This includes customer, supplier, partner and employee personal data.
What are the implications of GDPR for my business?
The new legislation requires all businesses & organisations, regardless of size, to transform the manner in which they approach data protection. This means changing existing policies, putting in place new processes and ensuring all staff are adequately trained to ensure compliance. The GDPR includes a new accountability principle that states that all businesses that come under its scope must be able to demonstrate compliance.
What do I have to do to comply?
For your business to be GDPR compliant, there are several things you need to consider.
- Know what data you are holding and why you are holding it
- Ensure there is a structure in place to enable secure and effective management of the data
- Ensure a culture of security awareness within your business
- Have a plan for dealing with Subject Access Requests (SAR). A SAR is a request for personal information that your organisation may hold about an individual
- Have robust breach detection, investigation and internal reporting procedures in place since certain data breaches must be reported to the supervisory authority (ICO) within 72hrs
What if I haven’t done anything to comply?
You cannot ignore the GDPR legislation. You need to start the process of compliance and importantly be able to demonstrate that you have done so. Elizabeth Denham the Information Commissioner says “To small and micro businesses, clubs and associations who are not quite there, I say don’t panic! 25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities, to better protect customer data.”
How much will it cost to comply?
The amount you will need to spend will depend on the size and complexity of your business, the amount of data that you process.
What are the consequences of not complying?
Failure to comply with the GDPR through either administrative failures or personal data breaches could result in a regulatory investigation and a potential fine. However, it should be noted that not all infringements will lead to the serious fines.
Non-compliance could lead to any, or all of the following:
1. Administrative fines
These are discretionary, “effective, proportionate and dissuasive”, and are decided on a case-by-case basis. However, the ICO are likely to take a pragmatic and realistic approach especially with small businesses, more so if you can demonstrate that you are taking reasonable steps to ensure compliance.
2. Liability for damages
Individuals have the right to compensation of any material and non-material damages resulting from an infringement of the GDPR.
3. Reputational damage and loss of trust
How would your business cope in the event of non-compliance?
What do I do, where do I start?
GDPR involves businesses changing the way they look at and manage personal data. To start the compliance process, it is recommended you do the following:
1. Understand. Grow your knowledge on the subject of what the GDPR is.
2. Decide. Understand how it affects your business and scope what you need to do to manage compliance.
3. Implement. Start the implementation process by first, developing a plan that sets out activities and responsibilities, allocates resources and has a realistic timeline. This is in line with showing ‘accountability’ a key element of the legislation.
How can business owners find out more information on GDPR?
Visit the ICO website which has information presented in a simple and easy to understand format.
. For further information contact Raj Tandon.