What is GDPR?
GDPR which stands for the new General Data Protection Regulation comes into force in May 2018 and affects virtually all businesses large and small including schools, the health service, and the public sector in toto and from 2019 even charities.
Arguably GDPR, which is an EU regulation that the UK is committed to implementing, despite Brexit, is the biggest change affecting businesses since the introduction of the Human Rights Act in 1998.
GDPR affects every aspect of a company or firm from personal records to accounting and marketing. Failure to adhere to the new rules will result in fines of up to €20 million or 4% of turnover, whichever is greatest. Despite a fanfare of publicity many businesses are still not prepared for the changes needed and even some senior business leaders seem oblivious to the new company policies that will need implementing before May 25 2018.
What is the scope of GDPR?
GDPR impacts in twelve different ways and includes the following eight individual rights, some of which are new:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. The right not to be subject to automated decision-making including profiling
These points impact on trading in a number of key areas such as marketing. There must now be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. In summary, previously recipients could opt-out now recipients must opt-in.
Individuals now have a stronger right to have their data deleted where your business uses consent as the lawful basis for processing data. Businesses will also have to explain their lawful basis for processing personal data in privacy notices and when replying to subject access requests.
The right to erase and effectively be forgotten will require businesses to be able to confidently delete people and not make further contact by any direct means again.
For the first time, the GDPR will bring in special protection for children’s personal data. Do you employ people under 18? If so parent or guardian permission may be needed for certain activities.
Businesses now also need to ensure that they have the right procedures in place to detect, report, investigate and if necessary report to the ICO any personal data breaches.
If you think this is challenging, your business will also need to consider whether it should formally designate a Data Protection Officer (DPO) and if your organisation operates in more than one EU member state, you will also need to determine your lead data protection supervisory authority and document it.
If this all sounds very complicated, you should strongly consider seeking external professional guidance from someone like Allott & Associates.
To help regionally based businesses, Allott & Associates is organising a free breakfast seminar at the former Royal Residence, Goldsborough Hall, near Knaresborough. The event organised in conjunction with DMM Training and Development will take place on Tuesday November 7. Starting at 8.30 am and concluding at 10.30 am it will provide attendees with a detailed GDPR briefing. Places are limited so to attend the free briefing please register your interest ASAP.
A seperate cost optional one day formal training day has also been organised for companies on December 5 2017 at Goldsborough Hall. The cost is £395 per person. This includes a structured one day training course on the changes your business will need to make and what you need to do to comply. The day includes:
- Course Notes / Material
- Certificate of attendance
For further information please contact Allott & Associates using the contact details further below.
Allott & Associates is already working with businesses both SMEs and much larger bodies to help them make the changes needed to stay lawful. Allott & Associates helps clients identify their new legal obligations through onsite audits and then provides the guidance needed where in-house policies need changing.
The audit, which takes half a day pre-prep, one day onsite and one day preparing the written report with a subsequent followup meeting completed by a GDPR Practitioner. Following implementation of the changes needed (which Allott & Associates can draft if required), a further mini audit will take place to check that everything has been completed.
Having the peace of mind to know that your business or organisation has made the changes necessary is worth its weight in gold.
For more information and further guidance or a bespoke quotation, please call Allott & Associates today on 01423 867264 or 0207 257 2017 or complete the contact form.
Our GDPR brochure can be downloaded here.