Are UK businesses ready for the new General Data Protection Regulation (GDPR) ?
All UK organisations who hold or process personal information must comply with the Regulation - whatever their size - and be compliant by 25th May 2018...!
The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 and aims to give control of personal data back to individuals, by addressing modern concerns about data protection in the digital age. All UK organisations who hold or process personal information must comply with the Regulation whatever their size and be compliant by 25th May 2018.
The way we use data has changed significantly over the last 20 years, specifically in relation to how personal data is acquired and dealt with. Data can be stored locally or in the Cloud hosted anywhere in the world. All personal data, wherever it is stored. and whether on paper or in electronic form, is included in the GDPR.
The GDPR takes a wide view of what constitutes personally identifiable information (PII). Companies will need the same level of protection for things like an individual’s IP address or cookie data, as they do for a name, address and national insurance number. Photos and CCTV images count as personal data too. Where personal data relates to children, additional rules apply.
The Regulation contains new rights for people to access the information that companies hold about them. Companies will need to obtain consent and demonstrate why people's information is being collected and processed, providing descriptions of the technical security measures in place.
To help prepare for the GDPR the Information Commissioner’s Office (ICO) has created a 12-step guide which includes steps such as making key people aware of the Regulation; determining what information is held; reviewing current privacy notices; identifying the lawful basis for processing the data; and what should happen in the event of a data breach.
A recent survey found that only 29% of UK businesses had started preparing for the GDPR. But when it comes to GDPR compliance, doing nothing simply isn’t an option!
The cost of failing to be GDPR-compliant is high and fines await those who fail to meet the new standards. The maximum penalty for breaching the GDPR is €20m or 4% of global revenue, whichever is greater. Time is running out to meet the deadline....
Liveryman Rachel Whitehouse
Liveryman Rachel Whitehouse works with consultancy ‘Auditel’, who are supporting SME firms in the UK by auditing and advising on how to become GDPR-compliant, and assisting in the implementation of any changes required.