As litigation lawyers, we regularly act to protect clients against others misusing and exploiting their image, information or privacy. A fundamental change is going to take place on 25 May 2018 that company owners in particular need to appreciate. The EU General Data Protection Regulation (GDPR) will have an impact that goes to the core of how you do business. Now is the time to put in place the serious preparations to meet this deadline because, if you aren’t prepared by then, your business might not survive.
What is GDPR?
In plain English, it is a European Union-wide Regulation to harmonise data protection compliance, which will apply to the UK despite Brexit. It is going to re-define the control of how personal information/data is used and controlled both within the EU and worldwide by companies doing business with those in the EU. Personal information is any information relating to an individual, whether it relates to his or her private, professional or public life – be it their name, address, ethnicity, telephone number, credit card details, medical or bank records or even the unique IP address for their internet connection. It covers the whole lot. If you obtain or use any personal information whilst trading for customers, potential customers or staff – which is practically every business – you must comply with how that information is compiled, stored and used.
It is likely that if you are a medium sized business or if your company core activity includes processing data, a Data Protection Officer will be a legal requirement for your business. This must be someone with expert knowledge of data protection law and practices.
How does GDPR threaten my business?
The Information Commission can look into any suspicion of non-compliance – meaning that your rivals can watch you for errors. All breaches of data security will legally have to be reported to the Information Commissioner within 72 hours. Right now, most business suffering a cyber-attack or data loss look to hide it and hope to avoid attention. Organisations that fail to properly obtain, protect and, where necessary, erase personal data can be made to suffer repeated costly audits, can see their insurance cancelled and be publically fined up to a maximum of €20m or 4% of their total worldwide annual turnover, whichever is higher of those two.
How do I prepare for it?
First of all, create and refine a meaningful culture and audit system of information security within your business. Secondly, make sure everyone you do business with (IT support, data storage, those you might purchase marketing lists from) also has that same culture.
If you back-up data to the cloud, ensure you know the provider has the necessary infrastructure, staff, policies and procedures. Obtaining and keeping personal data will include very high standards of consent for each and every purpose for which you intend to keep it. You must prove consent was given in every case and that it was given freely in an informed and unambiguous way. Data audit trails will become obligatory for not just how the data has come to you, but when and by whom it has subsequently been accessed, as well as with whom that data is shared. If a person then unsubscribes or requests personal data be deleted, the audit trail must show that request and also it being implemented.
Get ready for the GDPR deadline or prepare for the real prospect of your business facing public and financially crippling consequences. Understand how data is collected, stored, used and deleted, but also ask yourself if you can justify needing it to manage your business and employment relationships.
Here at Griffin Law we can not only help to protect your business data and advise you on what to do in the event of any breach of that data. We can also assist with anything mentioned above. If you would like advice on any matter, Griffin Law provides prompt, astute and cost-effective advice to their clients. Contact us at firstname.lastname@example.org or on 01732 525923
Article by Dan Sherlock, Senior Associate, Griffin Law