I have to start this blog article by saying I am not a lawyer and so if you are reading this I would urge you to take legal advice for your particular situation.
I have gathered information from various reliable sources to help businesses understand GDPR and decide whether the new regulation is relevant to them. Further information is available from the UK Supervisory Authority. The ICO have also published a 12-step guide to prepare for GDPR.
The GDPR (General Data Protection Regulation) becomes law on 25th May 2018 and replaces the current Data Protection Act. It affects every business in the UK that processes the personal data of EU residents, no matter what the size of the organisation. It is a myth the regulation only affects businesses with fewer than 250 employees. The only difference for smaller organisations is that you do not legally have to appoint a DPO (Data Protection Officer). Nevertheless it is recommended you appoint one anyway if your core activities require regular and systematic monitoring of personal data on a large scale.
The regulation is designed to harmonise data protection laws across Europe, to protect and empower citizens’ data privacy and reshape the way organisations approach customer data security. Non-compliant organisations can face significant fines of up to 4% of worldwide annual turnover, or €20 Million, whichever is greater. Despite this being much larger than the current Data Protection Act limit, the new regulation is focused on advising and educating organisations about how to comply with the law, rather than finding ways to fine them. The issuing of fines will continue to be a last resort.
Some key facts about your GDPR responsibilities:
- Personal data must be processed lawfully, fairly and transparently
- Personal data can only be collected for specified, explicit and legitimate purposes
- Personal data must be adequate, relevant and limited to what is necessary for processing
- Personal data must be accurate and kept up-to-date
- Personal data must be kept only for as long as is necessary for processing
- Personal data must be processed in a manner that ensures its security
Cyber Security is such a large part of GDPR compliance that I would advise everyone to review this as soon as possible—you will be required to demonstrate security around the processing of data. Approved certifications such as Cyber Essentials, ISO 27001 or PCI DSS are examples of this. You are legally required to notify the supervisory authority (ICO) and the data subject (the individual) of any personal data breaches that could potentially cause loss of revenue and harm your company’s image within 72 hours.
There is plenty of information and training available around the GDPR, and if you are interested in learning more, please contact BTA. You will however want to act now as we are only 8 months away!
BTA is a managed IT services provider specialising in the full spectrum of business IT—from cyber security to hardware procurement. With over 20 years’ experience and a formidable reputation, BTA continue to be one of the leading IT providers in London. For more information on the GDPR, or business IT, please email firstname.lastname@example.org or call 020 8875 7676 today.