GDPR is a European directive that comes into effect (in spite of Brexit) on 25 May. It builds on and replaces our existing data protection regime under the Data Protection Act.
You will have to take more care with the data that you hold about individuals. Before you collect it you will have to obtain the freely given, specific and informed consent of the individual. You will have notified them in clear and plain language, in concise, accessible, transparent and intelligible form:
- What information you are recording about them and why;
- What you are going to do with it;
- Who you will share it with and why; and
- How long you will keep it.
Some personal data is sensitive, such as racial or ethnic origin, political opinions, sexual orientation and you can’t record it without a lawful purpose, as well as specific consent.
You need to have systems in place to be able to respond to data subjects’ requests, including to:
- see what information you hold about them;
- correct or erase personal data that is no longer required (the right to be “forgotten”);
- restrict data processing;
- receive a copy of the personal data or transfer to another data controller.
You will have to notify them if there is a data security breach, as well as reporting to the Information Commissioner’s Office.
You have up to a month in most cases to respond and provide the information requested, without charge, although there is a right to refuse where the request is manifestly unfounded or excessive. .
You may also need to demonstrate that your business and systems comply with GDPR. This means implementing policies and procedures that embed data protection measures into business policies and procedures throughout the business. The first thing to do is to look at your terms of business and whether they provide the authority to process personal data. Then you must look at your internal systems and staff training.
Failure to comply with GDPR’s requirements could expose your business to huge fines by the Information Commissioners Office as well as liability to data subjects, not to mention the damage to your reputation. The ability to demonstrate that your business has taken GDPR seriously and has systems in place would help you defend a complaint or claim.
If you aren’t GDPR ready, you have 100 days.
If you want help to get there or more information about how Newtons can help, email info@newtons.co.uk