Posted 12 December 2017 By James Gare, Partner
In Academy Schools Business Business Improvement Charity Construction Contractors Corporate Finance Environmental Health & Safety Human Resources Leisure and Tourism Manufacturing Professional Practices Rural and Landed Estates Solicitors Taxation
GDPR - General Data Protection Regulations - replaces the existing Data Protection Act from 25 May 2018. The new legislation governs how companies use the information they have on their customers and subscribers and covers all forms of digital marketing across Europe. It gives individuals new ‘rights’ and powers, and not complying can result in fines up to 2% of an organisation’s annual income. If a business suffers a data breach, the resulting fines can increase to 4% or even €20 million.
Regulations will be coming into force tightening restrictions on consent, data breaches and notification, individuals’ rights to access the information held on them – and for it to be erased should they wish. Those businesses which collect and hold personal data will also need to abide by rules concerning how they design their systems to ensure privacy and security, as well as enabling data to be able to be reused by the individual should they wish.
People have probably heard the phrase GDPR more and more over the last couple of months, but many businesses don’t realise if and how it applies to them. In our role as Business Advisors, we keep our clients up-to-date with these types of legislative changes to avoid breaking the law and the resulting financial implications.
These changes may seem fairly innocuous on first glance, however processes you currently use or have used in the past could immediately put you in breach of the legislation come May.
At the minimum you should be mapping out how information is held within your organisation. This includes trying to understand what information may not be adequately controlled and that any data obtained through a third party has been lawfully obtained. If you’re not 100% sure about this, then you must delete this data. For information you’ve directly obtained, it will be necessary to refresh existing consents if they do not meet GDPR standards.
I’d advise people to prioritise taking the time now to review your procedures and even map out what would happen should requests to receive or delete personal data under the new GDPR legislation be received. By May next year, these must be firmly in place so it’s never too early to start.
To find out how GDPR will affect you and what you need to be doing now, download the MHA Monahans GDPR Overview from our website, or contact James Gare on 01225 785520 or send him an email.