GDPR is something that every company needs to take seriously, even if they think they will not directly be affected right now.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) comes into place on 25 May 2018. It is the new regulation seeking to improve the security and transparency of data protection, replacing the current Data Protection Act 1998.
Under the new regulation, companies must have a clear policy for data collection, processing and security. Many companies collect data as a part of doing business (e.g. billing information, addresses, location information, email addresses, social media handles etc), but they do not always explain (or in some cases even know) how that data will be stored and processed.
GDPR legislates as to how businesses gather, use and retain personal data about individuals who are based in Europe. Businesses must comply with these regulations or face hefty fines or even a prison sentence. There is also a great risk of reputational damage to businesses for breaches of this regulation.
The Information Commissioner’s Office (ICO) is the UK‘s representative in Europe and will be the regulator in the UK. Many businesses are unsure how it will impact their business or what changes they need to make.
The key message is don’t panic. And we are here to help!
Will it affect my business?
If you hold or process any personal data on anyone in the UK or EU you will be included in the regulation.
This regulation is being created to protect individuals. In our digital world, there are increasing concerns about the theft of personal information through cybercrime. There is the risk of incorrect data being the cause of rejection of mortgage applications, increasing junk mail and targeted scams to list but a few examples. Companies will be held accountable and liable for regulation breaches, whether by intent or negligence.
Consent under GDPR must be freely given, specific, informed and unambiguous. You will no longer be able to rely on assumptions, pre-ticked boxes or silence. People must make a positive opt-in for you to store their information and choose to receive information from you. You must also provide a simple way for people to withdraw their consent.
Fines will be “effective, proportionate and dissuasive”
No matter the size the company you need to comply with this regulation. The ICO has already said that it will not be lenient.
Recently Carphone Warehouse was fined £400,000 under the current Data Protection Act, for failure to secure data relating to customers and employees which allowed unauthorised access to over 300,000 million individuals’ details, putting each one of them at risk of abuse. That fine could be far greater under GDPR when the maximum fine of €17 million or 4% of worldwide turnover comes into force.
The ICO has been clear it does not intend to seek out and issue punitive fines to offenders come 25 May; it has always maintained that fines are a last resort. GDPR is about the safety of individuals’ data, not fines. The ICO knows most companies want to get it right and aims to help to guide, advise and educate companies about how to comply with the law.
Where do I start?
There’s still a lot to learn in a short space of time, but the fact that you’re reading this article suggests that you have already made the first step towards getting your organisation up to speed before 25 May.
Right now, it is about getting your business information systems ready so you are GDPR compliant. Security by design is a requirement of GDPR and must infiltrate every element of data control and information processing, from understanding your hardware and software to adopting the procedures, guidelines, standards and policies that an organisation has or should have.
www.ico.org.uk is the original and best source to download the regulations in full, regular information updates and a plain English summary of what GDPR really means.
While the information is accurate and accessible, the fact remains that the preparation still needs to be done.
Does your company meet the GDPR Fundamentals Standard?
There is no shortage of advice on GDPR, but if want to take a more practical approach, Kate Armstrong, nesma Tutor and Blue Shadow Growth Agency’s Managing Director is a registered GDPR Fundamentals Practitioner and recognised as a specialist in the new GDPR Fundamental standard.
If you would like some practical help with GDPR, this 3-part programme of activity is ideal for you. The programme will help you understand your organisation’s legal duties, put a spotlight on any changes you need to make and ultimately ensure you reach the GDPR Fundamentals standard.
The GDPR Fundamentals standard* has been devised to assist organisations in their efforts to comply with the with the new data protection regulations. It offers businesses the opportunity to obtain external recognition of their GDPR management system and has been written using the principles of General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
There are three elements; the training, the audit and the certificate.
The Training will give you the knowledge to assess organisation relative to the GDPR requirements using a practical framework that will assist you to understand what it means to be compliant. Businesses will receive a GDPR Fundamentals attendance certificate from the accrediting body on completion of the course of the 1-day training.
The Audit delivered in the form of a 2-hour survey carried out by an accredited GDPR Fundamentals Practitioner will help you to assess your systems and policies against the demands of the GDPR Fundamentals standard.
The GDPR Fundamentals Certificate of Compliance is a recognised management standard for data protection compliance which immediately identifies that your organisation has been audited by an independent third party and that you can demonstrate compliance.
Find out more about the GDPR Fundamentals programme –
The 1-day training costs start from £395 + VAT per person.
Get more information about this course and the full programme by emailing hello@nesma.co.uk or calling Kate Armstrong on 07930 473 971.
Disclaimer
This information is aimed at giving you a summary of current and emerging data protection and privacy regulations and guidance. It is not intended as legal advice and is not represented as such by the author or publisher. It is advised that legal counsel is sought to ensure compliance with legislation.
*QG Business Solutions is the Accreditation Body based in the UK.