Is your Business prepared for GDPR?
The European General Data Protection Regulation (GDPR) comes into force in the UK on 25th May. Replacing our Data Protection Act, the GDPR will introduce significant changes to how personal data should be handled and stored. Non-compliance could lead to significant fines, so it is important that businesses take these changes seriously
You must be able to point to 1 of 6 defined reasons for lawfully processing personal data:
- Consent. The data subject has expressly agreed. Consent must be specific and unambiguous and made by a clear and affirmative action. Implied consent (or pre-checked boxes) will not be enough.
- Necessary for the performance of a contract. For example, an employer’s contract of employment.
- Legal compliance. For example, sending data to HMRC for customers.
- Protection of vital interests, such as medical needs.
- Public interest, where for instance the data is in the realms of the public sector.
- Legitimate interests of the Data Controller. This may be appropriate where you use a person’s data in ways they would reasonably expect and which have a minimal impact on their privacy.
For many businesses, the focus will be on employees and customers or potential customers. If you hold employee or customer details, the GDPR will apply to you.
How you should be preparing for the GDPR will depend on what information you hold and how it is used. The key place to start is establishing what data you have, how it is gathered, stored and used and prepare to demonstrate that you have conducted this ‘data audit’. You should then identify any risks or gaps in your compliance. This may well mean changes right across an organisation.
By way of example, if you are an employer then you should consider the following matters as a priority:
- Privacy notices: A clause in your employment contracts will no longer be sufficient for the purposes of ‘consent’ to handle data. Instead, you should provide your employees with a separate privacy notice.
- You need to be able to demonstrate that you and those within your organisation are complying with the GDPR, so consider staff training materials.
- You might outsource payroll activities, which would mean a need to include specified terms within a written contract with that party.
- It may also be an idea to review the terms in your existing contracts or Terms and Conditions to ensure that you are fully compliant.
- Consider whether to appoint a Data Protection Officer. If possible, you should designate someone to take responsibility for data protection compliance and decide where this will sit within your organisation. However, you may be legally required to appoint a Data Protection Officer. We are able to advise you on whether this is necessary for you.
You should also be aware of potential cyber security implications. The GDPR requires personal data to be processed in a way that ensures its security. This includes protection against accidental loss, destruction or damage. The GDPR also requires that appropriate technical or organisational measures are used. Businesses such as Telkeda Ltd (based in Nantwich) provide Information Risk Management services throughout the North West and can provide you with clear cyber security advice. You can contact them on 01270 440706 or firstname.lastname@example.org.
Our lawyers are able to help you to understand and meet your GDPR responsibilities with a number of services. If you have any queries or would like to speak to someone about your specific requirements, please call either Carina Pennant-Williams or Anna Mottram on 01270 611 106 for an initial free discussion.